Updating Password Length Policy based on new NIST Guidelines

[mdueltgen]

🗣 Description

[NIST's guidance] (https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver) is: "Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length." Based on internal discussion we are looking to adopt as split SHALL/SHOULD approach for the policy.

💭 Motivation and context

Closes #442

🧪 Testing

✅ Pre-approval checklist

• [x] This PR has an informative and human-readable title.
• [x] Changes are limited to a single goal - eschew scope creep!
• [x] If applicable, All future TODOs are captured in issues, which are referenced in the PR description.
• [x] The relevant issues PR resolves are linked preferably via closing keywords.
• [x] All relevant type-of-change labels have been added.
• [x] I have read and agree to the CONTRIBUTING.md document.
• [x] These code changes follow cisagov code standards.
• [x] All relevant repo and/or project documentation has been updated to reflect the changes in this PR.

✅ Pre-merge Checklist

• ~This PR has been smoke tested to ensure main is in a functional state when this PR is merged.~
• [x] Squash all commits into one PR level commit using the Squash and merge button.

✅ Post-merge Checklist

• [x] Delete the branch to clean up.
• [x] Close issues resolved by this PR if the closing keywords did not activate.

[mdueltgen]

@buidav I forgot about the drift rules, thanks for the reminder. Added them in.