It was noticed that wiki accounts are being created with username patterns along the lines of "The password to this account is xxx". Some examples as noticed by @Bsadowski1:
There are plenty of clever ways to do abusive things like this where it becomes difficult for programmatic checks to be effective. But we should, at the very least, add a new password check similar to the existing [[ https://gerrit.wikimedia.org/g/mediawiki/core/+/a0673d5913f62e1dcff7bf5a25dfea198c83a1eb/includes/password/PasswordPolicyChecks.php#95 | PasswordCannotMatchUsername ]] which checks for plain text passwords as substrings of the corresponding username.
Note: not entirely sure if this task should be private.