Weak password report should check if password contains username

Using the username as a base for the password is generally considered a bad practice. The weak password report could check if the password contains the username or a variation of it (mixed case, common substitutions like e->3 a->@, …)

@mpitt welcome!

We currently leverage this library for evaluating weak passwords: zxcvbn

As well as the opposite of username/email (“narmak” in my case), current year, user’s birth year, etc.