feat: reject common passwords in SetupRequest

- Add ~75 common plaintext passwords to setup.py validator
- Check case-insensitively; passes complexity but blocked
- Add tests: reject common, accept unique, short common fail on length
- Update Security.md docs

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

backend/tests/test_models.py

@@ -191,6 +191,35 @@ def test_setup_request_master_password_complexity_still_enforced() -> None:
     assert "special character" in str(exc_info.value)
 
 
+def test_setup_request_rejects_common_passwords() -> None:
+    """SetupRequest rejects common passwords that pass all other complexity checks."""
+    from app.models.setup import SetupRequest
+
+    # Passw0rd! passes length (10), uppercase, digit, special checks but is too common
+    with pytest.raises(ValidationError) as exc_info:
+        SetupRequest(master_password="Passw0rd!")
+    assert "too common" in str(exc_info.value).lower()
+
+
+def test_setup_request_accepts_valid_unique_password() -> None:
+    """SetupRequest accepts a password that meets all requirements and is not common."""
+    from app.models.setup import SetupRequest
+
+    req = SetupRequest(master_password="MyV3ryStr0ng!P@ssw0rd")
+    assert req.master_password == "MyV3ryStr0ng!P@ssw0rd"
+
+
+def test_setup_request_rejects_short_common_passwords() -> None:
+    """SetupRequest rejects short common passwords (rejected for length, not common check)."""
+    from app.models.setup import SetupRequest
+
+    for password in ["letmein", "admin", "qwerty", "shadow"]:
+        with pytest.raises(ValidationError) as exc_info:
+            SetupRequest(master_password=password)
+        # These fail the minimum length check first
+        assert "at least 8 characters" in str(exc_info.value)
+
+
 # ---------------------------------------------------------------------------
 # DashboardBanItem country_code validator
 # ---------------------------------------------------------------------------