Improve password policy handling on login

[LukasReschke]

• Document existing state (we do only check the policy on password changes)
• Consider performing the password policy check also on login time

Reference https://hackerone.com/reports/1169335

[nickvergessen]

Should only be reported if the user backend allows the user to change their password.