I've just intentionally ignored that case in the past. :-) Ie, sending a password reset email will bypass the check, just as you suggested. There are some other things that people can (and I'm sure do) do to try to meet the requirement, but there isn't really a solution. For example, a lot of people who hit this restriction are just trying their old password with one or two characters appended, so you can try the hash of a few substrings of the new password.
But in the end, none of that really keeps people from inventing new, easy to remember, and insecure passwords. Eventually people do learn to just alternate between about three different forms of passwords. IMO, most of these draconian policies are invented to make things look secure more than to provide real security. That seems appropriate for the TSA, right? :-)
But in the end, none of that really keeps people from inventing new, easy to remember, and insecure passwords. Eventually people do learn to just alternate between about three different forms of passwords. IMO, most of these draconian policies are invented to make things look secure more than to provide real security. That seems appropriate for the TSA, right? :-)