diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/stringpolicy/StringPolicyUtils.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/stringpolicy/StringPolicyUtils.java
index ef5fd1e6bc0..53223913494 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/stringpolicy/StringPolicyUtils.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/stringpolicy/StringPolicyUtils.java
@@ -50,7 +50,7 @@ public static StringPolicyType normalize(StringPolicyType sp) {
 			LimitationsType sl = new LimitationsType();
 			sl.setCheckAgainstDictionary(false);
 			sl.setCheckPattern("");
-			sl.setMaxLength(-1);
+			sl.setMaxLength(Integer.MAX_VALUE);
 			sl.setMinLength(0);
 			sl.setMinUniqueChars(0);
 			sp.setLimitations(sl);
diff --git a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/stringpolicy/ValuePolicyProcessor.java b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/stringpolicy/ValuePolicyProcessor.java
index d63fdba87c7..295de4eb177 100644
--- a/model/model-common/src/main/java/com/evolveum/midpoint/model/common/stringpolicy/ValuePolicyProcessor.java
+++ b/model/model-common/src/main/java/com/evolveum/midpoint/model/common/stringpolicy/ValuePolicyProcessor.java
@@ -172,6 +172,7 @@ public <O extends ObjectType> boolean validateValue(String newValue, ValuePolicy
 			AbstractValuePolicyOriginResolver<O> originResolver, List<LocalizableMessage> messages, String shortDesc, Task task,
 			OperationResult parentResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException,
 			CommunicationException, ConfigurationException, SecurityViolationException {
+		//TODO: do we want to throw exception when no value policy defined??
 		Validate.notNull(pp, "Value policy must not be null.");
 
 		OperationResult result = parentResult.createSubresult(OPERATION_STRING_POLICY_VALIDATION);
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelRestService.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelRestService.java
index 94967534db7..015a1690540 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelRestService.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelRestService.java
@@ -110,6 +110,7 @@ public class ModelRestService {
 	public static final String OPERATION_VALIDATE_VALUE_RPC = CLASS_DOT +  "validateValueRpc";
 	public static final String OPERATION_GENERATE_VALUE = CLASS_DOT +  "generateValue";
 	public static final String OPERATION_GENERATE_VALUE_RPC = CLASS_DOT +  "generateValueRpc";
+	public static final String OPERATION_EXECUTE_CREDENTIAL_RESET = CLASS_DOT + "executeCredentialReset";
 
 	private static final String CURRENT = "current";
 	private static final String VALIDATE = "validate";
@@ -1042,7 +1043,7 @@ public Response getLog(@QueryParam("fromPosition") Long fromPosition, @QueryPara
 	@Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON, "application/yaml"})
 	public Response executeCredentialReset(@PathParam("oid") String oid, ExecuteCredentialResetRequestType executeCredentialResetRequest, @Context MessageContext mc) {
 		Task task = RestServiceUtil.initRequest(mc);
-		OperationResult result = task.getResult().createSubresult(OPERATION_GET_LOG_FILE_CONTENT);
+		OperationResult result = task.getResult().createSubresult(OPERATION_EXECUTE_CREDENTIAL_RESET);
 
 		Response response;
 		try {
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.java
index bca6acbedff..e0387cafe69 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.java
@@ -64,6 +64,7 @@
 import com.evolveum.midpoint.model.common.mapping.MappingFactory;
 import com.evolveum.midpoint.model.common.stringpolicy.AbstractValuePolicyOriginResolver;
 import com.evolveum.midpoint.model.common.stringpolicy.ShadowValuePolicyOriginResolver;
+import com.evolveum.midpoint.model.common.stringpolicy.StringPolicyUtils;
 import com.evolveum.midpoint.model.common.stringpolicy.UserValuePolicyOriginResolver;
 import com.evolveum.midpoint.model.common.stringpolicy.ValuePolicyProcessor;
 import com.evolveum.midpoint.model.impl.ModelCrudService;
@@ -109,6 +110,7 @@
 import com.evolveum.midpoint.prism.query.RefFilter;
 import com.evolveum.midpoint.prism.query.TypeFilter;
 import com.evolveum.midpoint.prism.query.builder.QueryBuilder;
+import com.evolveum.midpoint.prism.util.RawTypeUtil;
 import com.evolveum.midpoint.provisioning.api.ProvisioningService;
 import com.evolveum.midpoint.repo.api.PreconditionViolationException;
 import com.evolveum.midpoint.repo.api.RepositoryService;
@@ -1231,17 +1233,21 @@ private <T, O extends ObjectType> boolean validateValue(PrismObject<O> object, V
 
 		ValuePolicyType stringPolicy = resolveValuePolicy(policyItemDefinition, policy, task, parentResult);
 
-		RawType rawValue = (RawType) policyItemDefinition.getValue();
+		Object value = policyItemDefinition.getValue();
 		String valueToValidate = null;
-
+		if (value instanceof RawType) {
+			valueToValidate = ((RawType) value).getParsedRealValue(String.class);
+		} else {
+			valueToValidate = (String) value;
+		}
+		
 		List<String> valuesToValidate = new ArrayList<>();
 		PolicyItemTargetType target = policyItemDefinition.getTarget();
 		ItemPath path = null;
 		if (target != null) {
 			path = target.getPath().getItemPath();
 		}
-		if (rawValue != null) {
-			valueToValidate = rawValue.getParsedRealValue(String.class);
+		if (StringUtils.isNotEmpty(valueToValidate)) {
 			valuesToValidate.add(valueToValidate);
 		} else {
 			if (target == null || target.getPath() == null) {
@@ -1309,6 +1315,10 @@ private <T, O extends ObjectType> boolean validateValue(PrismObject<O> object, V
 			OperationResult result = parentResult.createSubresult(OPERATION_VALIDATE_VALUE + ".value");
 			if (path != null ) result.addArbitraryObjectAsParam("path", path);
 			result.addParam("valueToValidate", newValue);
+			if (stringPolicy == null) {
+				stringPolicy = new ValuePolicyType();
+				stringPolicy.setName(PolyString.toPolyStringType(new PolyString("Default policy")));
+			}
 			if (!policyProcessor.validateValue(newValue, stringPolicy, createOriginResolver(object, result), "validate value " + (path!= null ? "for " + path : "") + " for " + object + " value " + valueToValidate, task, result)) {
 				result.recordFatalError("Validation for value " + newValue + " against policy " + stringPolicy + " failed");
 				LOGGER.error("Validation for value {} against policy {} failed", newValue, stringPolicy);
@@ -1601,20 +1611,22 @@ public ExecuteCredentialResetResponseType executeCredentialsReset(PrismObject<Us
 			return response;
 		}
 		
+		ValuePolicyType valuePolicy = getValuePolicy(user, task, parentResult);
+		
 		ObjectDelta<UserType> userDelta = null;
 		if (credentialSourceType.getUserEntry() != null) {
-			ProtectedStringType newProtectedPassword = new ProtectedStringType();
-			newProtectedPassword.setClearValue(executeCredentialResetRequest.getUserEntry());
-			
 			PolicyItemDefinitionType policyItemDefinitione = new PolicyItemDefinitionType();
-			policyItemDefinitione.setValue(credentialSourceType.getUserEntry());
+			policyItemDefinitione.setValue(executeCredentialResetRequest.getUserEntry());
 			
-			if (!validateValue(user, null, policyItemDefinitione, task, parentResult)) {
+			if (!validateValue(user, valuePolicy, policyItemDefinitione, task, parentResult)) {
 				LOGGER.error("Cannot execute reset password. New password doesn't satisfy policy constraints");
 				parentResult.recordFatalError("Cannot execute reset password. New password doesn't satisfy policy constraints");
-				throw new PolicyViolationException(new SingleLocalizableMessage("execute.reset.credential.validation.failed", null, "New password doesn't satisfy policy constraints."));
+				LocalizableMessage localizableMessage = builder.fallbackMessage("New password doesn't satisfy policy constraints.").key("execute.reset.credential.validation.failed").build();
+				throw new PolicyViolationException(localizableMessage);
 			}
 			
+			ProtectedStringType newProtectedPassword = new ProtectedStringType();
+			newProtectedPassword.setClearValue(executeCredentialResetRequest.getUserEntry());
 			userDelta = ObjectDelta.createModificationReplaceProperty(UserType.class, user.getOid(),
 					SchemaConstants.PATH_PASSWORD_VALUE, prismContext, newProtectedPassword);
 
@@ -1637,7 +1649,7 @@ public ExecuteCredentialResetResponseType executeCredentialsReset(PrismObject<Us
 		}
 
 		parentResult.recomputeStatus();
-		LocalizableMessage message = builder.fallbackMessage("Reset password was successful").key("execute.reset.credential.successful").build();
+		LocalizableMessage message = builder.fallbackMessage("Reset password was successful").key("execute.reset.credential.successful").fallbackLocalizableMessage(null).build();
 		response.setMessage(LocalizationUtil.createLocalizableMessageType(message));
 		
 		return response;
diff --git a/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestAbstractRestService.java b/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestAbstractRestService.java
index 9ba9c9d831f..b5bedd3d693 100644
--- a/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestAbstractRestService.java
+++ b/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestAbstractRestService.java
@@ -1326,7 +1326,7 @@ public void test602resetPassword() throws Exception {
 		ProtectedStringType passwordValue = passwordType.getValue();
 		assertNotNull("No value for password defined for user. Something is wrong.", passwordValue);
 		String passwordClearValue = getPrismContext().getDefaultProtector().decryptString(passwordValue);
-		assertEquals("Password doesn't match. Expected 123passwd456, but was " + passwordClearValue, "123passwd456", passwordClearValue);
+		assertEquals("Password doesn't match. Expected P4ssw0rd, but was " + passwordClearValue, "P4ssw0rd", passwordClearValue);
 		assertTrue(BooleanUtils.isTrue(passwordType.isForceChange()));
 
 	}
diff --git a/testing/rest/src/test/resources/req/json/execute-credential-reset.json b/testing/rest/src/test/resources/req/json/execute-credential-reset.json
index df8ddae9826..4a46fcf55ae 100644
--- a/testing/rest/src/test/resources/req/json/execute-credential-reset.json
+++ b/testing/rest/src/test/resources/req/json/execute-credential-reset.json
@@ -2,6 +2,6 @@
 	"@ns": "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3",
 	"executeCredentialResetRequest" : {
 		"resetMethod" : "passwordReset",
-		"userEntry" : "123passwd456"
+		"userEntry" : "P4ssw0rd"
 	}
 }
\ No newline at end of file
diff --git a/testing/rest/src/test/resources/req/xml/execute-credential-reset.xml b/testing/rest/src/test/resources/req/xml/execute-credential-reset.xml
index bce9587c694..2a7bfdef4ba 100644
--- a/testing/rest/src/test/resources/req/xml/execute-credential-reset.xml
+++ b/testing/rest/src/test/resources/req/xml/execute-credential-reset.xml
@@ -20,5 +20,5 @@
 	xmlns:c='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
 	xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3">
 	<resetMethod>passwordReset</resetMethod>
-	<userEntry>123passwd456</userEntry>
+	<userEntry>P4ssw0rd</userEntry>
 </executeCredentialResetRequest>
diff --git a/testing/rest/src/test/resources/req/yaml/execute-credential-reset.yml b/testing/rest/src/test/resources/req/yaml/execute-credential-reset.yml
index d1f16805280..369cce41c66 100644
--- a/testing/rest/src/test/resources/req/yaml/execute-credential-reset.yml
+++ b/testing/rest/src/test/resources/req/yaml/execute-credential-reset.yml
@@ -17,4 +17,4 @@
 '@ns': "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
 executeCredentialResetRequest: 
   resetMethod: "passwordReset"
-  userEntry: "123passwd456" 
+  userEntry: "P4ssw0rd" 
diff --git a/testing/story/src/test/java/com/evolveum/midpoint/testing/story/TestMapleLeaf.java b/testing/story/src/test/java/com/evolveum/midpoint/testing/story/TestMapleLeaf.java
index e1b192244d7..8fa328f2695 100644
--- a/testing/story/src/test/java/com/evolveum/midpoint/testing/story/TestMapleLeaf.java
+++ b/testing/story/src/test/java/com/evolveum/midpoint/testing/story/TestMapleLeaf.java
@@ -41,7 +41,10 @@
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.ShadowUtil;
 import com.evolveum.midpoint.task.api.Task;
+import com.evolveum.midpoint.test.IntegrationTestTools;
 import com.evolveum.midpoint.test.util.MidPointTestConstants;
+import com.evolveum.midpoint.test.util.TestUtil;
+import com.evolveum.midpoint.util.exception.PolicyViolationException;
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ExecuteCredentialResetRequestType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
@@ -276,17 +279,17 @@ public void test101resetPassword() throws Exception {
 		Task task = taskManager.createTaskInstance(TEST_NAME);
 		OperationResult result = task.getResult();
 		
+		openDJController.assertPassword("uid=jack,ou=People,dc=example,dc=com", "oldValue");
 		
 		//when
+		displayWhen(TEST_NAME);
 		PrismObject<UserType> user = getUser(USER_JACK_OID);
 		ExecuteCredentialResetRequestType executeCredentialResetRequest = new ExecuteCredentialResetRequestType();
 		executeCredentialResetRequest.setResetMethod("passwordReset");
 		executeCredentialResetRequest.setUserEntry("123passwd456");
 		modelInteractionService.executeCredentialsReset(user, executeCredentialResetRequest, task, result);
-		openDJController.assertPassword("uid=jack,ou=People,dc=example,dc=com", "oldValue");
 		
 		//THEN
-		
 		displayThen(TEST_NAME);
 		PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
 		UserType userTypeAfter = userAfter.asObjectable();