I updated the password requirements yesterday and I intentionally left a test user with a password that did not meet the new requirements. Even after saving new password requirements, I was able to log in with this test user using a password that did not meet the new requirements.
How does a password requirement change impact active users who currently don’t meet those new requirements?
The system was designed so that new password requirements are not applied to existing users until the next time they need to change their password.
If you want to force users to change their password, one thing you might consider is temporarily adjusting the "Password Valid for" and "Expiration warning" fields under Administration > General Setup to something like 5 days. This way, each user will have a few days to change their password and will be prompted to do so when they log in. After the initial 5 day period is complete, you could then extend the Password Valid For setting.