Password policy should be enforced by default

Currently, an administrator can select for each site if a password policy can be activated or not. But actually a "default" password policy is always activated - if the checkbox is not checked, password must have 6 characters whatever there is in the password policy configuration panel, which is quite confusing. In order to disable the fact 6 characters are needed, we need to enable the password policy checks ..

Having 2 password policy systems is useless and very confusing, we should only keep the most customizable one.

Moreover, as users are now shared across sites, we don't really understand what happens if a user is in site with policy enabled and another site with policy disabled.