WeakPassword returns true even for long, random passwords
Context
Original title: Flaky seed: db/fixtures/development/18_abuse_reports.rb
Related to today's broken master incident
== Seed from db/fixtures/development/18_abuse_reports.rb
..................rake aborted!
ActiveRecord::RecordInvalid: Validation failed: Password must not contain commonly used combinations of words and letters
/builds/gitlab-org/gitlab/vendor/ruby/2.7.0/gems/activerecord-6.1.6.1/lib/active_record/validations.rb:80:in `raise_validation_error'
Looks like Devise.friendly_token(password_length.max)
can produce unsafe password input.
We need to address the random entry here to avoid commonly used combinations of words and letters
Problem
Random passwords are more likely to include a "forbidden substring" as the password increases in length. For example, a four letter name might truly randomly appear in a password of 128 random characters.
Proposal
Skip the weak substring checks when the password is >= 64 chars. (Still always check against the weak passwords list).
Edited by Nick Malcolm