Account takeovers are a common cybersecurity threat made much easier
when a user decides to use a weak password to protect their account.

This MR introduces a static list of known weak passwords against which
the user's chosen password can be compared. The password is also
validated against components of the user's attributes, such as their
name, email, and username.

Weak passwords are prevented only when the `block_weak_passwords`
feature flag is enabled, and only at registration or when a password
is changed. (It is not checked or enforced when the password is not
changed, such as during sign-in).

Notably, and in comparison to password complexity rules, blocking weak
passwords is a requirement of NIST SP 800-63B:

> When processing requests to establish and change memorized secrets,
> verifiers SHALL compare the prospective secrets against a list that
> contains values known to be commonly-used, expected, or compromised.
>
> - https://pages.nist.gov/800-63-3/sp800-63b.html

See also:

- https://gitlab.com/gitlab-org/gitlab/-/merge_requests/86310
- https://gitlab.com/gitlab-org/gitlab/-/issues/23610