Currently, the password check on login will check no matter the password entered, even if it is not the user's correct password. This could allow someone to enter a pwned password for any account and lock it down. The reason it does this is the check currently uses the CheckingPassword event, which triggers before the user's password is validated, and not after. What would need to be done is the code moved to an event/middleware/etc where it can be made sure the user's password is correct before checking against the database.
OrdinaryJellyfish
commented
5 years ago
Currently, the password check on login will check no matter the password entered, even if it is not the user's correct password. This could allow someone to enter a pwned password for any account and lock it down. The reason it does this is the check currently uses the CheckingPassword event, which triggers before the user's password is validated, and not after. What would need to be done is the code moved to an event/middleware/etc where it can be made sure the user's password is correct before checking against the database.