Go to create a new user page. Ensure that local.inc does not contain definition of variable $reject_compromised_password. The password checker popover should not tell about compromised password. In commit #d0541ef0201d1804bce7ef5154115328ca3929aa a mistake has been made in the comparison, but the contribution has been integrated since the check was not supposed to live too long (local.inc to be replaced by site admin UI config). However, due to current availability of our best experts in field, we should not check breached password on all instances. Integrators should not assume that a future work will be made soon https://gerrit.tuleap.net/#/c/10672/4/src/common/password/PasswordStrategy.class.php@41 This is part of story #11182: prevent users to use a breached password Change-Id: I67cc2a0dcb4babe4d3aa9e2463eecdcc26c80c5b