Yesterday https://gerrit.wikimedia.org/r/#/c/operations/mediawiki-config/+/534707/ was deployed to raise the password requirement for "privileged users" to 10 characters, and have MW suggest that they change the password if it doesn't meet this policy.
It was reported to security@ that a user was then unable to login, or re-auth (during an active session) with their current password. Which meant they were unable to change their password
Something with the suggestChangeOnLogin workflow looks like it might be funky and not working as expected. It seems more like forceChange, but they weren't been given the password change form either
534707 was reverted in https://gerrit.wikimedia.org/r/537474 and deployed to mitigate in the short term