Any user can set their password to anything if they change it using the reset password form (select "Lost Password").
I'm still using "Force Strong Password" (need version 1.1 at https://github.com/gyrus/Force-Strong-Passwords as the repository has not yet been updated) to provide this.
It would be nice if I didn't need the additional plugin just to close this one security hole that is almost covered by BWPS.
