Password Resets
If your application settings allow it, a user can reset their password via the forgotten password link. An email is sent out with a URL which includes a token set on the user's account when they make the request. The token is only valid for 2 hours, and gets set back to blank when used.
Only verified accounts can create password resets. This is to prevent confusion/illicit access from newly registered accounts. Logged in users can't create password resets either.
The password reset email templates can be found in /views/emails/ - you'll notice there's both an HTML and plain text version. Don't forget to update the corresponding versions when you make a change.
If an administrator sets a new random password to a user via the "Reset Password" feature in the main user management index, then the users account will a) have a new password set (obvs) and b) have the passwordchangerequired flag set on their account.
Once that user logs in, they will have a session based flag set which will force all requests to the account password reset screen: they can still logout which will cancel this behaviour, but they will be forced to reset if they want to get anywhere further in the application.