Hi !
The first thing I noticed: You are grepping for
/^$user/, shouldn't you grep for
/^$user:/ ?
If you have, for example, a user named "foo" and another one named "foobar", your grep would catch both and generate an error.
Another point: You should print the same error message for the case that the user is not found in the passwordfile and the passwords don't match. This way an attacker can't easily get a list of valid usernames.
Update:
- to check password strength, you could use Crypt::Cracklib
- You shouldn't be sending passwords per email
----
amphiplex