Description:
Manipulating the password verification plugin dictionary file has no impact on already-loaded plugin.  It seems that the file contents is cached, and that cache cannot be flushed short of restarting mysqld.

How to repeat:
Start mysqld with password verification plugin dictionary file specified, add words to dictionary file, note that passwords are still accepted which contain the newly-added words.

Suggested fix:
Options:

1.  Cache the last modified time from the dictionary file, check that against file system before using cache.
2.  Provide mechanism to manually flush cached dictionary file contents.

Added this to the validate_password_dictionary_file description:

Changes to the dictionary file while the server is running require a
restart for the server to recognize the changes.

Leaving bug report open in case developer intends to make it possible for the running server to re-read the dictionary file. (A good idea, IMO.)

Noted in 5.6.26, 5.7.8, 5.8.0 changelogs.

Previously, changes to the validate_password plugin dictionary file
(named by the validate_password_dictionary_file system variable)
while the server was running required a restart for the server to
recognize the changes. Now validate_password_dictionary_file can be
set at runtime and assigning a value causes the named file to be read
without a restart.
            
In addition, two new status variables are available.
validate_password_dictionary_file_last_parsed indicates when the
dictionary file was last read, and
validate_password_dictionary_file_words_count indicates how many
words it contains.