--- a/mod_password_reset/mod_password_reset.lua	Tue Oct 09 14:12:03 2018 +0100
+++ b/mod_password_reset/mod_password_reset.lua	Tue Oct 09 14:12:45 2018 +0100
@@ -16,8 +16,9 @@
 
 local serve = module:depends"http_files".serve;
 
-module:depends"adhoc";
-module:depends"http";
+module:depends("adhoc");
+module:depends("http");
+local password_policy = module:depends("password_policy");
 
 local form_template = assert(module:load_resource("password_reset/password_reset.html")):read("*a");
 local result_template = assert(module:load_resource("password_reset/password_result.html")):read("*a");
@@ -38,6 +39,7 @@
 	return apply_template(form_template, {
 		jid = reset_info.user.."@"..module.host;
 		token = token;
+		min_password_length = password_policy.get_policy().length;
 	});
 end
 
@@ -54,6 +56,16 @@
 		return apply_template(result_template, { classes = "alert-danger", message = "This link has expired." })
 	end
 
+	local policy_ok, policy_err = password_policy.check_password(password);
+	if not policy_ok then
+		return apply_template(form_template, {
+			classes = "alert-danger", message = "Unsuitable password: "..policy_err;
+			jid = reset_info.user.."@"..module.host;
+			token = token;
+			min_password_length = password_policy.get_policy().length;
+		})
+	end
+
 	local ok, err = usermanager.set_password(reset_info.user, password, module.host);
 
 	if ok then

--- a/mod_password_reset/password_reset/password_reset.html	Tue Oct 09 14:12:03 2018 +0100
+++ b/mod_password_reset/password_reset/password_reset.html	Tue Oct 09 14:12:45 2018 +0100
@@ -34,6 +34,7 @@
 								class="form-control"
 								autocomplete="new-password"
 								placeholder="new password"
+								minlength="{min_password_length}"
 							>
 						</div>
 					</div>