What if you didn't reject the passwords outright, but simply warned the user. I wonder if that would be considered a violation? Also the patent "Specifying a set of forbidden passwords" includes: "generating at least one symbolically equivalent password". What if you didn't generate a symbolically equivalent password (but just did a direct lookup?)