[BUG] The password complexity requirements are counter to best practices

[grahamc]

Describe the bug

We just setup Heimdall in a new environment and then spun our wheels for a while trying to change the admin password. We kept generating new random passwords, and they continued to fail the password complexity requirements.

This is counter to a variety of password best practices:

There should be no requirement for upper or lower case or numbers or special characters.

-- https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html

Users also express frustration when online services reject their attempts to create complex passwords.

-- https://pages.nist.gov/800-63-4/sp800-63b.html#complexity

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets.

-- https://pages.nist.gov/800-63-3/sp800-63b.html?utm_source=chatgpt.com#:~:text=Verifiers%20SHOULD%20NOT%20impose%20other%20composition%20rules%20(e.g.%2C%20requiring%20mixtures%20of%20different%20character%20types%20or%20prohibiting%20consecutively%20repeated%20characters)%20for%20memorized%20secrets.

To Reproduce

Steps to reproduce the behavior:

1. Deploy a new copy of Heimdall
2. Try to change the admin password, using a random password generator
3. Repeat step 2 until success.

Expected behavior

I would expect Heimdall2 to follow current best practices on password complexity.

Screenshots

Desktop (please complete the following information):

• OS: Linux
• Browser: Chrome
• Version: 143.0.7499.109