Moodle's authentication framework includes a function called password_expire() which is currently only used by the LDAP authentication method. When this function is called Moodle tells the the user that their password has expired and asks them if they would like to update it.

Many organisations follow a standard practice of forcing their users to change passwords after they have expired. Recommendations for the lifetime of the password vary dependant on the security concerns of each organisation but range from anywhere from 30 to 180 days according to Microsoft guidelines. Our College was recently audited by Tenon and instructed to set password expiration to 60 days.

As things stand the user can simply click "cancel" or navigate away from the page to avoid changing their password. I am proposing that this should remain the default set up for Moodle, but that a site-wide configuration option should be added which changes the behaviour and forces the user to change their password.

Moodle does already have a 'forcepasswordchange' flag for the user which, when set, takes the user back to the password reset change even if they navigate away towards another page or course.