$wgPasswordPolicy should be able to alter the password field on the login form. Use cases:
- add HTML validators, such as minimum length. We already do AJAX-based validation (except on mobile we don't, but that should probably be fixed - T211439), but this would be slightly faster, more native to the device and work without JS.
- add complex validators with visual elements, such as a password strength meter (T32574) or password generator (T151011), which require a script to be loaded (and probably some CSS class on the target field).
- add visual hints or help text about password requirements (e.g. a notice saying "at least 8 characters") (T211440)
Implementation-wise, $wgPasswordPolicy['forms']['check1'] could be an array that's merged into the form definition. Or maybe a callback.