New user password change doesn't actually require a password change.
When creating a new user, if you select "password change" checkbox to force a password change on the first login, the user will be prompted appropriately, but he doesn't actually have to supply a different password. It can be the exact same password he first logged on with.
In fact, if you go to @_admin/my_account/password@ after logging in, and execute a change of password, you can put the same password in all three fields, and it will be successful. Its as though we're not doing any checking at all.
Some thoughts I have:
If we're going to include a "force change" for new users, it should actually force a change, and not allow me to simply use the same password over again.
For password changes on a logged in user:
a. If we don't care that it's the same password, then we should simply offer a field for the new password, because the old one doesn't really matter.
b. If we DO care that it's the same, then we should be checking, just like on new user logins.
What do you guys think?