[RFC] LoginPasswordType - Remove password length constraint.

[artggd]

Hi,

The form LoginPasswordType has a constraint on the password length. This kind of constraint is useful for password creation / update but not much for the login form.

My issue here is that I'm extending BoltAuth by adding a custom AuthorisationHandler to allow my users to login through a webservice. Some of these existing users have passwords with less than 6 characters.

I could override the form itself but I reckon this constraint could simply be removed because it also gives a potential attacker a clue on the passwords hashed in the database.

Alternatively, making the length configurable could be a solution.

[SvanteRichter]

I usually like the current NIST guidelines for these sort of things;

Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber.

from https://pages.nist.gov/800-63-3/sp800-63b.html#reqauthtype

But, adding a option to configure the minlength seems fine by me as long as it defaults to 6 or 8