Minimum password strength does not apply when logging in

[johnbillion]

The minimum password strength configuration only applies when a user attempts to change their password. This means it's possible for a user to retain a weak password despite the minimum strength setting being increased.

Ideally the minimum password strength check should also be performed at the point where a user successfully logs in, and if their password is too weak they should be required to perform a password reset before being able to proceed.