Password policies are not working as expected