"aaaaaaaa" is rejected with "password is too weak", also rejects "password", so it's probably a dictionary check on the backend. didn't document common as a dictionary though because it wasn't stated, could maybe be added in a future update.
visiting a reset link while logged in reloads the last page you had open (#68)
visiting an expired link when logged out redirects you to the root password reset request form with a flash telling you the link expired
Stray observations:
common
as a dictionary though because it wasn't stated, could maybe be added in a future update.