[NoXero]

Well, this is just a big turn-off. GitLab did this to me recently, apparently for security purposes. However, someone changing my password for me is a mega breach in my security. GitLab lost my business because of this "security feature" or whatever. GitHub if you do this, I will self-host my code, and stop using your service. Other companies who market to Software Engineers, and security folk, should take heed.

[k4ch0w]

I do want to say there are legitimate reasons to have your users have a forced reset. For example, you’re upgrading your encryption, you migrated to a new IAM system, you’re handling of UTF8 could have been wrong or your meeting a new compliance standard that requires stricter passwords. I don’t know what happened with GitLab, but a telltale sign it’s bad is if they do it for you and not on your next login.