Implenment strong password requirement for new users

[giohappy]

FROM UN security assesment:

---

Security Risk(s): During testing we identified that application does not require that users have strong passwords, which makes it easier for attackers to compromise user accounts. The application only enforces a minimum of six characters password.

Cause(s): Lack of Enforcement Controls.

Remediation(s): An authentication mechanism is only as strong as its credentials. For this reason, it is important to require users to have strong passwords. Lack of password complexity significantly reduces the search space when trying to guess user's passwords, making brute-force attacks easier.

A password strength policy should contain the following attributes:

• At least 14 characters long; more than 14 characters is better
• Different from the default (initial) password
• Not be the same as the username.
• Composed of at least three of the following character classes:
• upper case letters ABCDEFGHIJKLMNOPQRSTUVWXYZ
• lower case letters abcdefghijklmnopqrstuvwxy
• numbers 0123456789
• punctuation marks:@#$%^&*()+=`{}[]:";'< >?,./) e.)
• Not be based on any personal information that is easily available to potential adversaries, such as names of family members, pets, friends, co-workers, birthdays, addresses, phone numbers etc.
• Not be based on a word found in dictionaries of any language or based on simple patterns such as aaabbb, qwerty, etc

---

[giohappy]

@EddyCatt the PR implements the following:

• min password length 14 chars
• required uppercase letters
• required lowercase letters
• required at least 1 number
• password must be different from username, email, first name and last name
• password must not be inside this list

The other requirements will be skipped since we don't have any means to check similarity to friends, teammates, etc.

[giohappy]

Production instance updated.