Steps to replicate the issue (include links if applicable):
The embedded hint is the worst ever suggestion by Phabricator I have ever seen or any Wikimedia project:
After you set a new password, consider writing it down on a sticky note and attaching it to your monitor so you don't forget again! Choosing a very short, easy-to-remember password like "cat" or "1234" might also help.
If it is followed, it completely destroys the usefulness of paswords, allowing anyone to easily take controls of accounts; bots would easily target these accounts as well. Various projects have strong requirements about the choice of good password (notably for administrator accounts, or accounts created for privacy and whose owners could become source of legal threats when editing sensible articles like those about war in Ukraine, or LGBTQI+ topics, or accounts used for development with the review of edits, or approval and integration of changes in code or policies). As well noting passwords on PostIts is not secure at all.
This is also a very bad suggestion for any other web site: users are instructed everywhere to NEVER use those "easy" tricks that break all best recommendations made by many authorities and project managers (and even by Wikimedia itself).
Given the now very HUGE risk of third party attacks now on the web (where personal account details are stolen by tens of millions, even on very popular sites that were supposed to be secured, including massive attacks against popular wikis), we need stronger paswords stored in safe places, and that are also unique for each site (so that users of the wiki will also NOT reuse their passwords for their other critical accounts such as their bank, merchant sites, gaming sites, or other professional websites, or government and social security websites).
In all cases, that statement quoted above should be discarded completely. It is much safer to forget a password that you can change again by asking to the website to submit a request to generate a temporary password which which you can reconnect and change immediately on first logon.
Instead, we should instruct users to consider using password managers (that can help generating strong passwords, and that can save them in a secured store). Today, password managers are integrated in most major web browsers, and allow synchronizing them across multiple devices, or can be integrated as plugins for most browsers or as acessibility companion apps for mobile devices.
Good password managers can also give hints when some known sites have been hacked or when user passwords that were harvested on users's devices or stolen on legitimate sites but found on the dark web were they are republished or resold.
I hope this is not a joke, but such joke on this kind of security-related topic should be removed.
Note that "Phabricator (People)" is old and comes from the version that existed in 2014/2015, when the Phabricator project was still not taken by Wikimedia; existing searchs about it gives results only in the legacy "phabricator.com" domain where it was hosted, and Phabricator was experimented to replace Bugzilla. Old Bugzilla bugs still reference that old instance of Phabricator, which is still active (even if new bugs can no longer be added there, there are some replies occuring, and it has not frozen completely and archived (with links pointing to the new location which was setup on a subdomain of Wikimedia.org in 2016; but the former organization of its translation is still based on modules that existed in 2016; today, many projects have been restructured, but identifying i18n messages and fixing them is a huge and complex task, so there are lot of legacy messages that were either not translated at all or not reviewed, with many errors, but it's not easy to see how they are used, as they are poorly documented, most often only line numbers in some files that may have changed a lot since then).