password policy: suggest edits

[mayakacz]

Based on a contract review with a customer, suggesting edits for a few items that we do today and could make more explicit:

• Do not log or capture passwords when they are entered <- only question here is if we are doing this with Tailscale SSH session recording for certain sessions; if that's the case, can we state these logs are always encrypted at rest and have tight access controls?
• Don't hard code plaintext passwords/ usernames in scripts, files, programs <- already in policy, tried to make more explicit
• Change default passwords <- already in policy
• Change initial passwords for users <- added to the default password section
• Enforce minimum length / strength of passwords <- would prefer not to have specific complexity requirements. Suggested edits re: randomly generated passwords. Suggest we implement minimum defaults in our password manager, if possible, but not add to policy.