Enforce a stronger password policy

Our only current policy is a min-length of 6 chars, ensuring we don't allow using the login as the password, and enforce basic complexity or higher length would help.

Reported by https://eldritch.cafe/@alice

changed milestone to %0.20

added AreaBackend AreaSecurity TypeEnhancement labels

mentioned in merge request !826 (merged)

Increasing password length from six characters seems reasonable as well as not allowing using login.

However I personally don't like mandatory complexity requirements. My experience with users shows it isn't always helpful to create better passwords as users tend to just get frustrated and use their favorite "good" password everywhere, e.g. Qwerty123!.

In my opinion it is much better to implement something else instead such as login rate limiting (maybe even progressive rate limiting, e.g. not allowing to login more often than every 10 seconds, each three incorrect attempts double the timeout), account lockdown (e.g. 20 incorrect attempts - login is frozen for an hour unless reactivated via email), maybe running newly created passwords against a top-100 dictionary and rejecting too popular ones.

Also it is good to add some suggestions during password creation and encourage users to pick longer better passwords like passphrases.

mentioned in commit 3fd6456d

mentioned in merge request !901 (merged)

assigned to @eliotberriot

mentioned in commit 95d4fa20

closed via merge request !901 (merged)

mentioned in commit 1aa3f3f3

mentioned in commit f44abfec