Reject passwords that are the same as login, first name, or last name
|Category:||Accounts / authentication|
Some lazy users may use their login IDs or their names as passwords. This can be a security threat.
Such passwords should always be rejected.
#2 Updated by Go MAEDA about 1 month ago
- File 37279.patch added
The attached patch adds
User#test_validate_password_complexity. It rejects passwords that are the same as the user's login, first name, last name, or email for now. I think it would be great if the method is extended to also reject passwords with dictionary words in the future.