Judging from Catalyst::Manual::Tutorial::05_Authentication, you should be able to program your own Catalyst::Plugin::Authentication subclass that overrides the ->authenticate method. But my (cursory) search of metacpan did not find any existing implementations.

If you are able to authenticate against LDAP, implementing the password reset rule in LDAP would enforce that without anything on your side and would also give the users single sign-on. But it requires an existing LDAP infrastructure :)