When processing an add operation, a modify operation, or a password modify extended operation that attempts to set a new password, the server can reject that operation if the password is deemed too weak by one or more of the password validators. It is also possible to invoke password validators when users authenticate in a manner that provides the server with access to their clear-text password as an ongoing means of ensuring password quality.