While working on plone.login during the Midsummer Sprint, I came across "must_change_password". This is a member property that, if set, will prevent a user from doing anything within the site until they've changed their password. In theory this seems useful. We don't seem to be using it at all however. It doesn't exist as a default memberdata property and the tests for the feature all have to create it before attempting to test it.
Is anyone currently using this? Do we want to continue supporting it? Should it be exposed in the UI somewhere?
The only plugin that I know that has similar funtionality is https://pypi.python.org/pypi/collective.pwexpiry. But I've no idea how it impliments it. It uses monkey patching it places which is always a sign that some parts should be in the core.
This plugin is similar but doesn't deal with enforcement pw changes - https://github.com/collective/Products.LoginLockout. I did however recently make it plone 5 compatible and introduce a new feature I was surprised was missing from plone and its plugins. The ability to restrict logins to whitelisted IP ranges.