REQ.136 Force temporary passwords changing
The system must force the change of temporary passwords generated automatically after its first use.
OWASP-ASVS v3.1-2.17 Verify that the forgotten password function and other recovery paths do not reveal the current password and that the new password is not sent in clear text to the user. A one time password reset link should be used instead.
OWASP Application Security Requirements Upon initial or first instance of requesting the application the user should be forced to select their password.