Password Policy issue (Weak Protect)

Ehy, I don't know if this is valid, but I decide to report it because when I try to report it on hackerone, the issue becomes duplicate, so that's not bad at all, issue valid but duplicate. This is the poc: http://grabilla.com/04616-eda16a72-0174-4eb1-82c6-4716a66b60d1.html Well, let's explain this report. When I tried to create a new Slack Acount, after confirming your email, I writed on the field of username: Scn4Scn4Scn4 (Sorry, I forget to do a screenshot) and in the next step, when the site ask you the password for the account I have writed on that field the same characters: Scn4Scn4Scn4 (Screen here: http://grabilla.com/04616-2b26db74-0eb3-4bbf-b3e0-b296d3d27e5d.html) Then, I click on "All Done" and the account was successful created but I was surprised..because I know and I saw that some sites,when you try to create an account..for example, with the password: xxx and username/name (same): xxx , the site normally tells you.."Password can contains the same letters/characters of the Username/name!" Why? To avoid the risk of stealing/bruteforcing password. (For example, by see the "Username/Name" of the victim!) Note: Yes, is right the question that some users asked "How anyone can know that what's your password"..This is only an important pratice that some important sites adopt to reduce the risk of the password stealing and I think that a site like Slack should consider it. As I told you, this is a password policy issue..("Password can contains etc boablaba"), you can check it here: http://www.comptechdoc.org/independent/security/policies/password-policy.html See the 16 point..of "4.0 Password Protection" section: "Don't use part of your login name in your password. " In some cases..by consider these words.."Don't use part of your login name in your password." some users decided independent to choose a password with same characters of the username "..but I think that, normally..a site, have to "tells and advertise" them that it's recommend to use a different password from the username! My point is that some time it not depends from you the user choice but I think that by telling them the right way to choose, is the best solution I think that by these words, you understand what the problem is. Wait a reply ASAP, Br, Simone