Comment 8 for bug 1641645

I was thinking to have first use passwords fall under the same category for this. So if a user authenticates and either:

1) Password is first used
2) Password is expired

then we can return the URL for them to change their password themselves. I currently have a config setting for toggling the expired password self-change, because I have seen it used both ways and then we aren't forcing one way over the other. But I would imagine that we would want a "first use" password to be changed immediately.