The system must force the change of automatically generated temporary passwords
after their first use.
Temporary passwords are often harder to remember and shared over systems whose
future integrity may not be guaranteed by the system that created them.
Therefore, users should be forced to change them after their first use.
V2.3 Authenticator Lifecycle Requirements.(2.3.1)
Verify system generated initial passwords or activation codes SHOULD be
securely randomly generated, SHOULD be at least 6 characters long,
and MAY contain letters and numbers,
and expire after a short period of time.
These initial secrets must not be permitted to become the long term password.