blueprints: add default Password policy (cherry-pick #11793)

[gcp-cherry-pick-bot]

Cherry-picked blueprints: add default Password policy (#11793)

• add password policy to default password change flow

This change complies with the minimal compositional requirements by
NIST SP 800-63 Digital Identity Guidelines. See
https://pages.nist.gov/800-63-4/sp800-63b.html#password

More work is needed to comply with other parts of the Guidelines,
specifically

If the chosen password is found on the blocklist, the CSP or verifier
[...] SHALL provide the reason for rejection.

and

Verifiers SHALL offer guidance to the subscriber to assist the user in
choosing a strong password. This is particularly important following
the rejection of a password on the blocklist as it discourages trivial
modification of listed weak passwords.

• add docs for default Password policy

• remove HIBP from default Password policy

• add zxcvbn to default Password policy

• add fallback password error message to password policy, fix validation policy

Signed-off-by: Jens Langhammer jens@goauthentik.io

• reword docs

Co-authored-by: Tana M Berry tanamarieberry@yahoo.com
Signed-off-by: Simonyi Gergő 28359278+gergosimonyi@users.noreply.github.com

• add HIBP caveat

Co-authored-by: Jens L. jens@goauthentik.io
Signed-off-by: Simonyi Gergő 28359278+gergosimonyi@users.noreply.github.com

• separate policy into separate blueprint

Signed-off-by: Jens Langhammer jens@goauthentik.io

• use password policy for oobe flow

Signed-off-by: Jens Langhammer jens@goauthentik.io

• kiss

Signed-off-by: Jens Langhammer jens@goauthentik.io

---

Signed-off-by: Jens Langhammer jens@goauthentik.io
Signed-off-by: Simonyi Gergő 28359278+gergosimonyi@users.noreply.github.com
Co-authored-by: Jens Langhammer jens@goauthentik.io
Co-authored-by: Tana M Berry tanamarieberry@yahoo.com

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	f4ec4cd
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-docs/deploys/6731f937a8996900082a2811
😎 Deploy Preview	https://deploy-preview-11993--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[codecov]

Codecov Report

Attention: Patch coverage is 80.00000% with 1 line in your changes missing coverage. Please review.

Project coverage is 92.56%. Comparing base (7ed268f) to head (f4ec4cd).
Report is 2 commits behind head on version-2024.10.

✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
authentik/policies/password/models.py	66.66%	1 Missing ⚠️

Additional details and impacted files

@@                 Coverage Diff                 @@
##           version-2024.10   #11993      +/-   ##
===================================================
- Coverage            92.57%   92.56%   -0.02%     
===================================================
  Files                  761      761              
  Lines                37818    37822       +4     
===================================================
- Hits                 35011    35009       -2     
- Misses                2807     2813       +6     

Flag	Coverage Δ
e2e	49.15% <40.00%> (+0.04%)	⬆️
integration	24.91% <0.00%> (-0.01%)	⬇️
unit	90.15% <80.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.