#22 Weak password policy

The password policy is incredibly weak. There is a very low character requirement, no check on common passwords, no check on previous passwords and no check on username aliases.