From 09975a31008acb78fbfcd94d33f335a5aeec8f09 Mon Sep 17 00:00:00 2001
From: Mechiel Lukkien <mechiel@ueber.net>
Date: Sat, 15 Feb 2025 11:48:10 +0100
Subject: [PATCH] when warning about weak passwords, mention that passwords
 reused at other services in particular

based on issue #286
---
 main.go               | 9 +++++----
 webaccount/account.js | 2 +-
 webaccount/account.ts | 2 +-
 webadmin/admin.js     | 2 +-
 webadmin/admin.ts     | 2 +-
 5 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/main.go b/main.go
index 7bd11b2..3a700e7 100644
--- a/main.go
+++ b/main.go
@@ -1771,10 +1771,11 @@ func xreadpassword() string {
 Type new password. Password WILL echo.
 
 WARNING: Bots will try to bruteforce your password. Connections with failed
-authentication attempts will be rate limited but attackers WILL find weak
-passwords. If your account is compromised, spammers are likely to abuse your
-system, spamming your address and the wider internet in your name. So please
-pick a random, unguessable password, preferably at least 12 characters.
+authentication attempts will be rate limited but attackers WILL find passwords
+reused at other services and weak passwords. If your account is compromised,
+spammers are likely to abuse your system, spamming your address and the wider
+internet in your name. So please pick a random, unguessable password, preferably
+at least 12 characters.
 
 `)
 	fmt.Printf("password: ")
diff --git a/webaccount/account.js b/webaccount/account.js
index 2c6e583..b81ac47 100644
--- a/webaccount/account.js
+++ b/webaccount/account.js
@@ -1483,7 +1483,7 @@ const index = async () => {
 		password2.type = 'text';
 		password1.value = s;
 		password2.value = s;
-	}), dom.div(dom._class('text'), box(yellow, 'Important: Bots will try to bruteforce your password. Connections with failed authentication attempts will be rate limited but attackers WILL find weak passwords. If your account is compromised, spammers are likely to abuse your system, spamming your address and the wider internet in your name. So please pick a random, unguessable password, preferrably at least 12 characters.'))), async function submit(e) {
+	}), dom.div(dom._class('text'), box(yellow, 'Important: Bots will try to bruteforce your password. Connections with failed authentication attempts will be rate limited but attackers WILL find passwords reused at other services and weak passwords. If your account is compromised, spammers are likely to abuse your system, spamming your address and the wider internet in your name. So please pick a random, unguessable password, preferrably at least 12 characters.'))), async function submit(e) {
 		e.stopPropagation();
 		e.preventDefault();
 		if (!password1.value || password1.value !== password2.value) {
diff --git a/webaccount/account.ts b/webaccount/account.ts
index 171182e..8599678 100644
--- a/webaccount/account.ts
+++ b/webaccount/account.ts
@@ -868,7 +868,7 @@ const index = async () => {
 					password2.value = s
 				}),
 				dom.div(dom._class('text'),
-					box(yellow, 'Important: Bots will try to bruteforce your password. Connections with failed authentication attempts will be rate limited but attackers WILL find weak passwords. If your account is compromised, spammers are likely to abuse your system, spamming your address and the wider internet in your name. So please pick a random, unguessable password, preferrably at least 12 characters.'),
+					box(yellow, 'Important: Bots will try to bruteforce your password. Connections with failed authentication attempts will be rate limited but attackers WILL find passwords reused at other services and weak passwords. If your account is compromised, spammers are likely to abuse your system, spamming your address and the wider internet in your name. So please pick a random, unguessable password, preferrably at least 12 characters.'),
 				),
 			),
 			async function submit(e: SubmitEvent) {
diff --git a/webadmin/admin.js b/webadmin/admin.js
index 1126c02..793edbd 100644
--- a/webadmin/admin.js
+++ b/webadmin/admin.js
@@ -2256,7 +2256,7 @@ const account = async (name) => {
 		}
 		password.type = 'text';
 		password.value = s;
-	}), dom.div(dom._class('text'), box(yellow, 'Important: Bots will try to bruteforce your password. Connections with failed authentication attempts will be rate limited but attackers WILL find weak passwords. If your account is compromised, spammers are likely to abuse your system, spamming your address and the wider internet in your name. So please pick a random, unguessable password, preferrably at least 12 characters.'))), async function submit(e) {
+	}), dom.div(dom._class('text'), box(yellow, 'Important: Bots will try to bruteforce your password. Connections with failed authentication attempts will be rate limited but attackers WILL find passwords reused at other services and weak passwords. If your account is compromised, spammers are likely to abuse your system, spamming your address and the wider internet in your name. So please pick a random, unguessable password, preferrably at least 12 characters.'))), async function submit(e) {
 		e.stopPropagation();
 		e.preventDefault();
 		await check(fieldsetPassword, client.SetPassword(name, password.value));
diff --git a/webadmin/admin.ts b/webadmin/admin.ts
index f3dc360..d2cc07d 100644
--- a/webadmin/admin.ts
+++ b/webadmin/admin.ts
@@ -1075,7 +1075,7 @@ const account = async (name: string) => {
 					password.value = s
 				}),
 				dom.div(dom._class('text'),
-					box(yellow, 'Important: Bots will try to bruteforce your password. Connections with failed authentication attempts will be rate limited but attackers WILL find weak passwords. If your account is compromised, spammers are likely to abuse your system, spamming your address and the wider internet in your name. So please pick a random, unguessable password, preferrably at least 12 characters.'),
+					box(yellow, 'Important: Bots will try to bruteforce your password. Connections with failed authentication attempts will be rate limited but attackers WILL find passwords reused at other services and weak passwords. If your account is compromised, spammers are likely to abuse your system, spamming your address and the wider internet in your name. So please pick a random, unguessable password, preferrably at least 12 characters.'),
 				),
 			),
 			async function submit(e: SubmitEvent) {