Well, I just read this little nugget and decided to post it to share it with the world (as well as keep it somewhere safe for myself!). When the initial release of the SSPR came out with FIM, there were considerable issues in that the user password was changed to a random value as an administrator and then a “proxied” login was used to go in as the user themselves and change the password to the known value that was provided as part of the reset action. This however, led to some issues where people didn’t like that the random password was being applied however, in the same instance, this did allow for some password policy components such as password history and complexity to be enforced (which was otherwise bypassed by the administrator account changing the password to a random string).
In a later release, SSPR just simply changed the password using the value provided by the user performing the reset using the administrative credentials of the MA. This provided a problem in that the complexity and history were not enforced. (The figurative pendulum had swung far to the other direction!).
However, there is apparently a method now to allow SSPR to change the users password while still enforcing policies effectively. This is good news as it is certainly a bad precedent to have the self-service tool allowing users to reuse passwords that are weak! The details are found on the support site http://support.microsoft.com/KB/2443871.