@Gargron
If I understand correctly, the captured Mastodon accounts will be used to send spam.

I would do this:
1. Make the user choose a strong password when registering and changing the password.
2. Periodically check the database of accounts for the presence of passwords from the dictionary.

By the way, does it make sense to implement two-factor authentication with a password and a key file? As a key file, users can use their avatar.