SSPR 5026 - session password

We have "Read User Password" disabled in SSPR and Password Reset works fine. Now we want do increase password length and are getting the above error. It works for "Minimum number of characters in password" up to 16 - but not for more. Apparently SSPR does not obey the policy for the session password. Is this so or do I miss something?