fix(password): align validation feedback and show correct policy requirements

[rakdutta]

Closes #4753

Summary

Centralizes password policy requirements and standardizes validation feedback across user
creation and password change flows. Users now receive consistent, explicit policy guidance
(12 characters minimum, 3-of-4 complexity groups) both during form entry and on validation failure.

Changes

Unified Policy Requirements

• Introduced get_password_requirements() static method in PasswordPolicyService exposing a complete,
  descriptive set of password rules (minimum length, complexity rules, restrictions) for use by both backend
  and frontend
• Backend now returns a single password_requirements dictionary instead of individual policy flags,
  ensuring the frontend always receives up-to-date requirements

Enhanced Error Handling

• Improved password change flows to encode detailed error messages in redirect URLs
• Added HTML escaping in error responses to prevent injection vulnerabilities
• Backend validation failures now communicate specific policy violations to the user

Frontend User Experience

• Refactored admin templates to dynamically render password policy guidance based on backend requirements
• Implemented real-time client-side validation matching backend rules (3-of-4 complexity, minimum length, etc.)
• Enhanced error display in user creation workflows to show specific backend validation failures
• Form submission now only possible when all requirements are met

Configuration & Maintenance

• Updated .env.example to document password length environment variables for different account types (following OWASP recommendations)
• Refactored password complexity and restriction checks for clarity and maintainability (common passwords, username inclusion, sequential characters)