If they implemented it properly they could have checked the current password against the revised guidelines on the next login. No need to store it in plain text