WackoWiki

View source for Re: How is minimum user password length determined?

[A]
You have two kinds of passwords:
%%
'pwd_min_chars'				=> 10,
'pwd_admin_min_chars'			=> 15,
%%

===Persistence of User Passwords===

**Minimum password** length: ##10##
Longer passwords are necessarily more secure than shorter passwords (e.g. 12 to 16 characters).
The use of passphrases instead of passwords is encouraged.	

**Minimum admin password** length: ##15##
Longer passwords are necessarily more secure than shorter passwords (e.g. 15 to 20 characters).
The use of passphrases instead of passwords is encouraged.	

You can change these password lengths, but you have to consider there are two different settings.
  * admin
  * user

In other words if you're **admin** ##pwd_admin_min_chars## are applied. So you've change both values to your range and it will work as expected.

It is always a good idea to change the config values in the Admin panel, otherwise you have to clear the config cache, update the session, purge the page and browser cache - depending on what you have changed, on your own.

Changing a value in the config table manually without updating/purging the config cache - it will still load the old values. 
In this case you can use the ##~{{admin_cache}}## action or delete the ##_cache/config/config.php## file by hand to update the config cache.

[B]
In the admin panels current configuration you can't change or overwrite the users password as admin, that's right. This can become a problem if the user lost access to his email account or sending emails is not possible or deactivated. Should we add a feature to overwrite the users password?