2 files changed, 10 insertions, 8 deletions

diff --git a/Bugzilla/Auth/Verify.pm b/Bugzilla/Auth/Verify.pm
index 19d8dcc9e..5895534cd 100644
--- a/Bugzilla/Auth/Verify.pm
+++ b/Bugzilla/Auth/Verify.pm
@@ -72,7 +72,7 @@ sub create_or_update_user {
               || return { failure => AUTH_ERROR,
                           error   => 'auth_invalid_email',
                           details => {addr => $username} };
-            # Usually we'd call validate_password, but external authentication
+            # external authentication
             # systems might follow different standards than ours. So in this
             # place here, we call trick_taint without checks.
             trick_taint($password);
diff --git a/Bugzilla/Auth/Verify/DB.pm b/Bugzilla/Auth/Verify/DB.pm
index ac6b71ac0..e46d1cd82 100644
--- a/Bugzilla/Auth/Verify/DB.pm
+++ b/Bugzilla/Auth/Verify/DB.pm
@@ -62,13 +62,15 @@ sub check_credentials {
     if (Bugzilla->usage_mode == USAGE_MODE_BROWSER &&
         Bugzilla->params->{password_check_on_login})
     {
-        my $check = validate_password_check($password);
-        if ($check) {
-            return {
-                failure => AUTH_ERROR,
-                user_error => $check,
-                details => { locked_user => $user }
-            }
+        my $pwqc = Bugzilla->passwdqc;
+        unless ($pwqc->validate_password($password)) {
+            my $reason = $pwqc->reason;
+            Bugzilla->audit(sprintf "%s logged in with a weak password (reason: %s)", $user->login, $reason);
+            $user->set_password_change_required(1);
+            $user->set_password_change_reason(
+                "You must change your password for the following reason: $reason"
+            );
+            $user->update();
         }
     }