The previous standard setting to NOT enforce new password on password reset needed back as a configurable option for security reasons on untrusted networks

[LeeteqXV]

Both in lack of 2FA, and even after we get it, it is useful with the option NOT to enforce new passwords on password reset

On my current Backdrop 1.7.x sites I can not get any kind of 2FA to work in any way yet. Since I do NOT want to send a password when logging in from for example a cafe, hotel, travel junction, client network, insecure public wifi networks, or the like, the most practical way is to use the "forgotten password" function (having made sure beforehand that the account in question is using an email address where I actually HAVE 2FA login), and then get a login link to that one.

However, since BD is insisting that I create a new password on the SAME (untrusted) connection, then that extra security option is lost...

The standard Drupal behaviour that actually does NOT enforce the password change was changed (deliberately) for some other reasons in #140
I agree that some sites, and even perhaps the default behaviour, might be desirable to have as it is now (although I think that the main challenge here is more related to presentation / GUI logic to avoid confusion, than to the side effects of either choice...), but I think we need to have the choice, not remove the option entirely.

Furthermore; AFTER we actually get something like TOTP (see #2788 ), it is also then very useful to be able to use 2FA + email link over such insecure wifi connections, so the option of NOT having to set a new password is still relevant.

It would be nice for web sites to have the option to choose the policy that is appropriate for them, so this should be a configurable setting in the account settings page, IMO.

In case this (IMO very valid/relevant security scenario) was not considered when this behaviour was changed, then I think that we could consider this issue as a bug report (forgotten consideration), and not a new feature request.

[quicksketch]

If you want to log in without setting a password, you can tack /login to the end of the password reset URL. Then you are logged in without setting a password. If you so wanted, you could edit your password reset templates and add /login to the end of the password reset URL token.

Although Drush uses this capability to log in without setting a password, we don't expose it easily. We could make another dedicated function and token to make this more easily accessible.

Right now we have user_pass_reset_url() we could make a companion user_one_time_login_url().

Same for tokens. Oddly we have a token named [user:one-time-login-url], which gives you a reset URL. IMO it would be much better to have [user:password-reset-url] that does the reset, while the current token would do the immediate log-in.

[stpaultim]

Related issue: #4281