Warn of potentially poor/insecure password generation

[desrosj]

wp_generate_password() is responsible for generating random strings for many things in core. To name a few, Application Passwords, Core salts (as a fallback), random file names (Privacy), default user passwords, and more. Each scenario passes the length of the desired generated string, and whether to include 2 different sets of special characters.

In addition to being fully pluggable, there is a random_password filter within wp_generate_password() that can alter the result of the generated password. The $length field should always be respected and wp_generate_password() should never return a string shorter than requested. If this does happen, the user should be made aware that potentially insecure strings are being generated so that they can attempt to fix this.

[ayeshrajans]

I think this is a great idea. I would also like to suggest that the site tries to fetch some random bytes using random_int. PHP refuses to return any value if there is no cryptographically secure random number generator, so if we get an exception, it's a good sign that we are using our own dice to get the random numbers.

[desrosj]

Related: #40046.

I'm not sure if a filter to control the password length as suggested in #40046 should be added as it would allow sites to promote poor password techniques. If it is added, then this suggested test should also detect when the length argument is filtered to a potentially insecure number of characters.