Comment 3 for bug 616528

Yup.

In webservice's models.py, set_new_password currently isn't calling password_policy_compliant to verify the strength of the password, so (if a consumer doesn't validate the password for us) the user could end up with a very weak password or even an empty one.

The only other place where you can set your password via the api is when you register(). The code currently uses a form to validate the parameters you pass in here, and this form calls password_policy_compliant in its validation code. I think ideally we'd do the same in set_new_password.