Just 8 characters are not that great anymore according to recent standards. 12 or 15 is a more common minimum nowadays (TODO check the NIST guidelines). However, I could imagine that many Indico instances do not want to enforce such long passwords, so I'd prefer to not change the global default.

• Add LOCAL_PASSWORD_MIN_LENGTH setting, default to the current hardcoded value of 8.
• Do not allow anything shorter unless debug mode is enabled (fail in IndicoConfig.validate).
• In validate_secure_password, keep the hard check for less than 8 chars (we want to keep forcing a password change for existing users with a shorter password), but also add a check for the new limit when the context is set-user-password.
• Maybe populate the config file in the setup wizard with a longer minimum length, so newly installed instances get a better default?

Alternatively, we could just raise the minimum length but still with the context check to avoid forcing an "upgrade" from everyone who has a shorter one that's still 8+ chars right now. Any opinions?