Password Policies in Drupal 6
At Kettul Design we maintain a large Drupal 6 app that enforces a policy of expiring passwords after a certain time period. Our client recently reported that users with expired passwords could not access the password reset form.
The site uses the password_policy module. There are no permissions associated with the module that would cause this issue. After one quick look at the settings page (admin/settings/password_policy/password_change), it became obvious what the likely cause of the problem was...
There is a text area that accepts a list of urls that users with expired passwords should be allowed to access. The logout path was there, but the edit password path was not. So, if you're using password_policy, be sure to include user/*/edit/password in the Page Exclusion List.