If the auto generated password is too complicated, you could set it to be plain text, then enforce the rule to reset password on the first login. You can set the format of the new password.
I set the password format to plain text and set the password policy to be forced, but still no luck. The generated passwords are still complicated.
Are there any errors in the event log in Kentico related to the failed requests? How are these forgotten passwords generated or sent? In v7 I had issues with using the forgot password and reset password from the front site where ViewState was causing issues and the request and hash were invalidated when trying to reset it. This environment was setup in a webfarm with persistent sessions so I simply blamed it on that but not sure if the end result was that or not as we upgraded to v8.2 which seems to have resolved it.
The event log just displays Authentication Failed, but no error code with it. They are being generated and sent with the forgot password portion of the login web part. I'll see if the ViewState is causing the issue on this site as well.