Fix server error when a password is very long

Add "Force two-step verification" permission

If enabled for a user, prevents email 2fa from being disabled

For new installs add a "User has compromised password" user-group, and update the "User-group for compromised passwords" option to use it

Align defaults with NIST Password Guidelines for 2024

Update "New password validation rules" defaults. "Prevent passwords which contain the user's email or username, and the site's domain/name" defaults to true

Update "Minimum password length" default to 15