Regarding passphrases necessary to reset/recover password.
They are thus equivalent to a password. So, if they do not have the same strength as a password they are the weal link.
They are truly only useful whtn the passwork reset/recovery is accomplished out-of-band, as when calling in to a *human* at one's bank, and further providing some other self-identifying information. Preferrably, such systems would require a visual identification as well.
As long as the word can be used to reset the password, the password is thus compromised.
I would not like to see any coding effort in that direction for the general OACS auth scheme. Such is the proper province of those as have on-line/in-person customer service reps.
Regarding quality of password.
I a system we have (whose redesign requirements brought us to OACS in the first place) that has authentication and privacy needs, we are currently assigning a random 8 digit password. We find that initially folks recoil at having to use such. When, in practice, they install the password once in their mailer, and once in their browser, they are happy. 1) They realize they are possessed of a hard to guess password, and 2) it is secured in their PC, and as long as their physicel security is OK, their on-line security with us will be as well.
That is really all that is needed in the vast majority of cases. I'm unaware of any place where a break in physical security wouldn't completely eliminate the need to perform any on-line hacking. I can imagine such. I know such must exist. I doubt OpenACS is considered for such places.
Cheers!