Plugin 'password' > Setting password_minimum_score = 4 returns "password is too weak" for secure passwords

[cmonty14]

Prerequisites

• I have searched for duplicate or closed issues
• I can recreate the issue with all plugins disabled

Describe the issue

Hello,
I enabled pluging password with these settings:

$config['password_strength_driver'] = 'pwned';
$config['password_minimum_length'] = 8;
$config['password_minimum_score'] = 4;

Changing current password to Z8@aXZ)cm^SQtNR6MbFj returns: password too weak.
(I have no problem to paste the password here in cleartext, because it's a randomly generated example.)

Imo this password is secure, and it's reported green by Have I Been Pwned.

Why is password_minimum_score = 4 causing this failure?

What browser(s) are you seeing the problem on?

Chrome, Edge

What version of PHP are you using?

v8.2

What version of Roundcube are you using?

v1.6.5

JavaScript errors

No response

PHP errors

No response

[johndoh]

From the comments at the top of the pwned driver file.

This driver will return a strength of:
    3: if the password WAS NOT found in HIBP
    1: if the password WAS found in HIBP
    2: if there was an ERROR retrieving data. 
....
Setting the minimum score to 1 or less effectively renders
the checks useless, as all passwords would be accepted.
Setting it to 4 or more will effectively reject all passwords.