@aharelick said "Agree with max and the suggestions from owasp say we should make the minimum 8 characters. They also say that the recommendations may be out of date, but I think it's a good place to start. Also, we should probably add the validator to RegistrationForm and ResetPasswordForm and ChangePasswordForm."
While we're thinking about this, it might be best to use a password entropy estimator rather than a minimum required length—this one developed by Dropbox might be good to try out.
@aharelick said "Agree with max and the suggestions from owasp say we should make the minimum 8 characters. They also say that the recommendations may be out of date, but I think it's a good place to start. Also, we should probably add the validator to RegistrationForm and ResetPasswordForm and ChangePasswordForm."