Consider adding a password validation rule that would disallow using the email address as the password.

[zorn]

I saw this image in a joke thread but the warning about using the account email as the password seems like something people might be doing. I don't have any real data but wanted to start a conversation. Should we disallow using the email as the password?

[josevalim]

I know password rules can get quite complex, that’s why I decided to stick with the most important rule, which is length related. But it is rather the starting point. You may also want to make sure the username (if you have one) is not included in the email, names as in the picture above, validate the password is not in the list of leaked passwords, etc. Unless we have evidence there is another simple but very effective rule to add. :)

[aaronrenner]

@zorn Thanks for bringing this up!

I agree with @josevalim that this is intended to be a starting point and people can make these rules more complex as needed. The intention behind having 3 additional rules that are commented out is so the user sees they have the freedom to make adjustments as they need.

https://github.com/aaronrenner/phx_gen_auth/blob/3ed8ce9655ec07047445588808db028e5bfba01c/priv/templates/phx.gen.auth/schema.ex#L41-L49

If we start receiving multiple requests for a new rule example, I'd be happy to consider adding it. But for now, I think I'm going to leave it as is.