When implementing a password strength checker lately I relied mainly on https://github.com/dropbox/zxcvbn (which is great) but added in a check for correct horse battery staple (and variants). Probably not that important in the big scheme of things but I thought it might get a chuckle and/or some respect if anyone happened to activate that code path.
That would make a somewhat interesting testing strategy.
In a similar vein, React intentionally calls user-implemented functions which are meant to be pure twice in a row (even though that's technically unnecessary), just to ensure the programmer actually makes the function pure (so the application behaves reproducably in the future).
If a system requires an account/password, and people find ways to bypass or weaken account security, perhaps you shouldn't be using accounts.
In days of yore, "cypherpunk/cypherpunk" or "cypherpunks/cypherpunks" was a common convention. Those are found 140 and 38 times respectively in haveibeenpwned.
Considering many systems went out of their way to prevent / disable such accounts, and the convention fell out of practice, that's notable.