When a low-value account is taken over but the email is not changed, we want to be able to lock the account but allow the owner to recover. Proper account locking means the owner will need to request unlocking; an extra inconvenience for everyone. So instead we just invalidate the password and the owner can recover it via password reset.
We can notify the owner via email, but maybe their email address is wrong. In which case they won't be able to recover their account, tough luck. But they should at least understand why they can't login, instead of just getting confusing "wrong password" errors.
So we want to:
- Create a new invalid password type, ScrambledPassword / scrambled (must be exactly this string, as we went ahead and used it in {T395073}
- When the password check fails and this password type is used, show a different error message that tells the user that their account has been compromised ("probably compromised"? not sure about the exact wording), their password has been invalidated, and they should do a password reset.
- Create a maintenance script that takes a username list, scrambles their password (just need to prefix it with :scrambled:<reason>), and invalidates their session. Maybe also sends emails.
- Prevent setting an identical password during password reset.