Password minimum length not enforced
Although the reset password form suggests you have to have a minimum length, it is not enforced. You can enter any length and it will be reset.
Logout > lost-password form > Click link in email > reset password form
In the function wpforo_do_password_reset() there could be a password check which would prevent this.
Ok, this will be fixed in next version.