I think it'd be helpful for the admin to have the following dynamic (JS-driven) indicators, just like WordPress:
That could also be added in admin when changing the own password or creating new users
Thanks for the suggestion, it would be great & valuable to encourage users to create strong passwords.
Maybe we could create+link to a FAQ on Matomo.org explaining that it's important to use password managers, and store the encrypted database on a backed up drive.
Regarding the indicator when password don't match... maybe we could even remove the need to type the password twice, and only have the password field once? As long as people have a valid email address in their profile they can easily reset the password if there was a typo.
You could also include a most popular password list and throw an error if the entered password appears in there
I'm moving this to 3.7 as it has a huge security benefit. (move it back, if you have planned it for a later release)
I also like @tsteur's idea of rejecting (or at least warning about) common password.
Maybe this could even be combined with the new have-i-been-pawned api:
Moving it back to the backlog as it currently doesn't have a priority.