Add password rules and password change page for Mountain Warehouse

[homsar]

Overall Checklist

• I agree to the project's Developer Certificate of Origin
• The top-level JSON objects are sorted alphabetically
• There are no open pull requests for the same update

for password-rules.json

• The given rule isn't particularly standard and obvious for password managers
• Generated passwords have been tested from this rule using the Password Rules Validation Tool
• Information has been included about the website's requirements (eg. screenshots, error messages, steps during experimentation, etc.)
• The PR isn't documenting something that would be a common practice among password managers (e.g. minimal length of 6)

for change-password-URLs.json

• There is no Well-Known URL for Changing Passwords (https://example.com/.well-known/change-password)
• The URL either makes the experience better or no worse than being directed to just the domain in a non-logged-in state

The default password rules generate passwords that are rejected by mountainwarehouse.com as too long; the quirk added by this PR restricts the length such that generated passwords are accepted.

[rmondello]

This change is a clear improvement. But they don't allow any special characters?

[homsar]

Thanks for pointing that out—I’d forgotten about the allowed option.

Experimenting with allowed symbols also gave me a slightly altered version of the password rules with constraints that I don’t think can be expressed in the quirk syntax—the quirk as written encodes the requirement in the screenshot above plus allowing most* of the allowed symbols from the below, which is sufficient to satisfy either set of rules, but is technically over constrained.

* I excluded square brackets as those appear to be reserved as sentinel values so can’t be included in a character class.