Updating Password Length Policy based on new NIST Guidelines

[mdueltgen]

🗣 Description

[NIST's guidance] (https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver) is: "Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length." Based on internal discussion we are looking to adopt as split SHALL/SHOULD approach for the policy.

💭 Motivation and context

Closes #442

🧪 Testing

✅ Pre-approval checklist

• This PR has an informative and human-readable title.
• Changes are limited to a single goal - eschew scope creep!
• If applicable, All future TODOs are captured in issues, which are referenced in the PR description.
• The relevant issues PR resolves are linked preferably via closing keywords.
• All relevant type-of-change labels have been added.
• I have read and agree to the CONTRIBUTING.md document.
• These code changes follow cisagov code standards.
• All relevant repo and/or project documentation has been updated to reflect the changes in this PR.
• Tests have been added and/or modified to cover the changes in this PR.
• All new and existing tests pass.

✅ Pre-merge Checklist

• This PR has been smoke tested to ensure main is in a functional state when this PR is merged.
• Squash all commits into one PR level commit using the Squash and merge button.

✅ Post-merge Checklist

• Delete the branch to clean up.
• Close issues resolved by this PR if the closing keywords did not activate.

[jkaufman-mitre]

These changes look good. Splitting the policy into Shall/Should is a good idea, especially since it is consistent with NIST policy.

[buidav]

Add the new NIST-800-63B Password Guidelines to the Resources section of the Policy Group.
https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver