From a333241d950766fd6475aabc87d92fabb4773c9a Mon Sep 17 00:00:00 2001
From: Abdeali Chharchhodawala <99460106+Abdeali099@users.noreply.github.com>
Date: Fri, 19 Dec 2025 14:44:22 +0530
Subject: [PATCH] fix: handle password feedback for common words and
 suggestions (#35156)

* fix: handle password feedback for common words and suggestions

* refactor: enhance password strength failure msg

* refactor: keep suggestion html align with title
---
 frappe/core/doctype/user/user.py  | 22 +++++++++++++++++++++-
 frappe/utils/password_strength.py |  4 ++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/frappe/core/doctype/user/user.py b/frappe/core/doctype/user/user.py
index 4b56dcbd2a..10e86975ee 100644
--- a/frappe/core/doctype/user/user.py
+++ b/frappe/core/doctype/user/user.py
@@ -1285,7 +1285,27 @@ def handle_password_test_fail(feedback: dict):
 	suggestions = feedback.get("suggestions", [])
 	warning = feedback.get("warning", "")
 
-	frappe.throw(msg=" ".join([warning, *suggestions]), title=_("Invalid Password"))
+	# Add fallback suggestion if nothing provided
+	if not (suggestions or warning):
+		suggestions = [_("Better add a few more letters or another word")]
+
+	message_parts = []
+
+	if warning:
+		message_parts.append(f'<div class="alert alert-warning" role="alert">{warning}</div>')
+
+	if suggestions:
+		suggestions_html = (
+			'<ul style="margin: 0; padding-left: 1em;">'
+			+ "".join(f"<li>{suggestion}</li>" for suggestion in suggestions)
+			+ "</ul>"
+		)
+		message_parts.append(suggestions_html)
+
+	frappe.throw(
+		msg="".join(message_parts),
+		title=_("Password requirements not met"),
+	)
 
 
 def update_gravatar(name):
diff --git a/frappe/utils/password_strength.py b/frappe/utils/password_strength.py
index 32c6d567de..0e42480edd 100644
--- a/frappe/utils/password_strength.py
+++ b/frappe/utils/password_strength.py
@@ -186,4 +186,8 @@ def get_dictionary_match_feedback(match: "_Match", is_sole_match: bool) -> "Pass
 	if match.get("l33t_entropy"):
 		suggestions.append(_("Predictable substitutions like '@' instead of 'a' don't help very much."))
 
+	if not (warning or suggestions):
+		warning = _("Common words are easy to guess.")
+		suggestions.extend([_("Use a few uncommon words together."), _("Add numbers or special characters.")])
+
 	return {"warning": warning, "suggestions": suggestions}