Currently, Traffic Portal restricts the passwords entered to a minimum of 8 characters. This restriction is not mirrored in the database (and possibly not in the API, but that can be fixed at the same time as the db if that's the case). I propose that we add this restriction to prevent potentially wildly insecure passwords from existing for Traffic Ops clients.
This would entail including a notice in the 5.0 release, probably in the changelog, one or four places in the documentation, and possibly another email to the users list after the 5.0 - to notify - and 6.0 - to remind - releases. Then, a migration can be added to 6.0 to restrict password length at the database level, giving users a full major upgrade cycle to make their data compliant with the new restrictions.
