We currently require 8-character passwords by default, but should also add a default blacklist for "password", "phabricator", etc.
- Find some reasonable list(s) of common passwords.
- Put them in a file somewhere.
- Add anything we can think of that's Phabricator-related ("phabricator", "codereview").
- Add an default-on option to reject passwords on the blacklist. Or just do it without an option, I can't really imagine anyone wanting to turn this off.
Context: http://www.theverge.com/2013/11/20/5126906/weak-github-passwords-lead-to-account-security-breach