Improve required password strength

[elarb]

Currently, the password strength control is very poor (e.g. passwords with a single character are allowed). We should improve the required password strength to protect the users from being compromised (either manually or by automated means).

OWASP has a great guideline that we could follow.

[TimvdLippe]

I think a minimum length is good. A maximum length of 128 is necessary to ensure proper data persistence. I think we should not implement any other requirement and leave that to the user.

[svenpopping]

Maybe you can use the HaveIBeenPwnd.com API to show people that their password has been in a data breach. But I'm not sure if that is possible...

[elarb]

@svenpopping Yea sounds cool and its probably possible, but I think it's kind of out of scope and I don't think that we should depend on an external API for the password

[dsluijk]

Could use Dropbox's password checker: https://github.com/dropbox/zxcvbn