[[https://www.mediawiki.org/wiki/Manual:$wgPasswordPolicy|`$wgPasswordPolicy`]] should be able to alter the password field on the login form. Use cases:
* add HTML validators, such as minimum length. We already do AJAX-based validation (except on mobile we don't, but that should probably be fixed - T211439), but this would be slightly faster, more native to the device and work without JS.
* add complex validators with visual elements, such as a password strength meter (T32574) or password generator (T151011), which require a script to be loaded (and probably some CSS class on the target field).
* add visual hints or help text about password requirements (e.g. a notice saying "at least 8 characters") (T211440)
Implementation-wise, `$wgPasswordPolicy['forms']['check1']` could be an array that's merged into the form definition. Or maybe a callback. And password checking methods should probably be able to return extra data that's communicated to the client via the password validation API module, so something like a password strength meter can use server-side logic (important because password checking logic can involve huge wordlists which cannot be sent to the client).