As a REST client, if I want to invalidate the current password of a user so the user cannot use it anymore and is forced to reset it, then I have to generate a random password string, which may or may not match the current password policy.

I'd prefer to have a REST API to invalidate a user's password that is guaranteed to succeed, not matter which password policy has been set.