If the Nextcloud server generates a secure random password (e.g. for sharing files), the validation is checked before the shuffle function str_shuffle() is called. In very rare cases it could happen, that a password is validated by HIBPValidator before str_shuffle(), but would not validate after shuffle.
Since the password generation is usung random chars, the source code must be manipulated to see the problem.
For instance take the password “Password123”. Shuffle the Password to “o3rw1sasd2P”.
In Generator::generate()
Let the validator check the password
See the insecure password “Password123” in UI.
https://github.com/nextcloud/password_policy/blob/master/lib/Generator.php
In very rare cases the password generator may generate weak passwords.