Apologies in advance, this post contains a rant.
When you have a service that requires the user to login, what do you consider to be the most critical part of the system? The login, of course. If it does not work, then the users will be pissed off beyond belief. All the other issues can be bearable, if they are not, like login, preventing the user from doing the most crucial thing that your service provides. If such a critical part of the service is broken, all other work gets halted until the issue has been fixed, right?1
Now, a part of the login functionality is the reset/forgotten password feature. Of course, should the new password meet the password requirements, one would expect it to start working after it has been set, right? Should that functionality be broken, the same criticality should be applied to fixing the issue as to the regular login.
Today I tried to use a service that has a broken login functionality. First the service did not accept my password I had set when I created my account there. Then, after resetting my password THREE FUCKING TIMES, it still did not allow me to log in. Now my account is locked because I had too many unsuccessful login attempts.2 I had to contact their support to get my account unlocked and working again, which most likely happens on Monday at earliest. As you might have guessed, I am a bit more than pissed off now.
Once again, sorry for venting, but I needed to do this to calm myself down.
That is at least my expectation, as I have done exactly that a few times in various projects.
Which is also a funny thing. I would not lock the account but require a 2-factor authentication in such a scenario, and maybe also require the user to fill in some detail they have given for the profile.