diff --git a/plugins/password/README b/plugins/password/README
index 95b7e915b..c7d7abffb 100644
--- a/plugins/password/README
+++ b/plugins/password/README
@@ -446,14 +446,14 @@
 
  Driver using "Have I been pwned?" (https://haveibeenpwned.com/Passwords) API to
  check that entered passwords aren't already compromised (i.e., commonly known).
- The check is performed locally, the actual password is *not* transmitted anywhere else.
+ The check is performed locally, the actual password is *not* transmitted anywhere.
 
  Example configuration:
 
  $config['password_strength_driver'] = 'pwned';
  $config['password_minimum_score'] = 3;
 
- See the driver implementation file for more documentation.
+ Maximum supported score for this driver is 3. See the driver implementation file for more documentation.
 
 
  3. Driver API
diff --git a/plugins/password/config.inc.php.dist b/plugins/password/config.inc.php.dist
index e0ba9fe93..8933000c8 100644
--- a/plugins/password/config.inc.php.dist
+++ b/plugins/password/config.inc.php.dist
@@ -22,6 +22,7 @@ $config['password_minimum_length'] = 8;
 
 // Require the new password to have at least the specified strength score.
 // Note: Password strength is scored from 1 (week) to 5 (strong).
+// Note: Some strength drivers (e.g. pwned) do not support full range.
 $config['password_minimum_score'] = 0;
 
 // Enables logging of password changes into logs/password