It was noticed that wiki accounts are being created with username patterns along the lines of "The password to this account is xxx". Some examples as noticed by @Bsadowski1:
# [[ https://en.wikipedia.org/wiki/Special:Contributions/The_password_to_this_account_is_aedanlorfinkhasamajorcrushonpauldohertyssister | The_password_to_this_account_is_aedanlorfinkhasamajorcrushonpauldohertyssister ]]
# [[ https://meta.wikimedia.org/wiki/Special:Contributions/The_password_to_this_account_is_nnnnnnn | The_password_to_this_account_is_nnnnnnn ]]
# [[ https://en.wikipedia.org/wiki/Special:Contributions/My_password_is_literally_just_password | My_password_is_literally_just_password ]]
([[ https://tools.wmflabs.org/meta/gusersearch/?name=%25password%25&limit=500&show_locked=on | and many more ]])
There are plenty of [[ https://en.wikipedia.org/wiki/User:Jackfreeman69s_password_is_sandwich69 | clever ways to do abusive things like this ]] where it becomes difficult for programmatic checks to be effective. But we should, at the very least, add a new password check similar to the existing [[ https://gerrit.wikimedia.org/g/mediawiki/core/+/a0673d5913f62e1dcff7bf5a25dfea198c83a1eb/includes/password/PasswordPolicyChecks.php#95 | `PasswordCannotMatchUsername` ]] which checks for plain text passwords as substrings of the corresponding username.
**Note:** not entirely sure if this task should be private.