Allow pluggable password-policies

[hmpf]

Different organizations have different policies for password quality. The current policy for local users is hardcoded.

[hmpf]

Django already supports this, it is only a matter of using the existing functionality and wrapping it in our own config-system. https://docs.djangoproject.com/en/3.2/topics/auth/passwords/#module-django.contrib.auth.password_validation

[hmpf]

Example policy we need to easily support:

• A minimum of any N characters, N configurable
• A minimum of M (less than N) characters, M configurable, plus:
  1. A Uppercase
  2. B Lowercase
  3. C Numbers
  4. D "Special" characters, configurable, but has a default fallback.

A, B, C, D configurable but defaults to 1.

The only relevant validator that comes with Django is django.contrib.auth.password_validation.MinimumLengthValidator.

We need to write our own validator for the four M character validators. I assume that it must be possible to further specify which "special" characters are valid, but we do need a default.

Maybe have an "OR"-validator that takes lists of validators as an option? Should we have one validator per specification, or a single one covering uppercase, lowercase, numbers and specials?

[hmpf]

The Django app django-password-validators supports sub-rules i-iv with a single validator: django_password_validators.password_character_requirements.password_validation.PasswordCharacterValidator

On second look, it drags in a lot of things we don't need like forms and views and a password history watcher.

[hmpf]

Here's another: https://github.com/i3thuan5/django-password-policies-validator