Bug Description

In internal/validators/password.go:14-43, the IsValidPassword function accepts isStrongPasswordDisabled parameter but never uses it. Strong password rules (uppercase, lowercase, digit, special char) are always enforced regardless of the parameter value.

Impact

MEDIUM — The EnableStrongPassword config setting has no effect. Users always get strong password requirements even when the admin disables them.

Fix

When isStrongPasswordDisabled is true, only check min/max length, skip character class checks.