On our support instance we have the password level set to High for end-users. This requires them to reset their passwords every 90 days. However, the user experience is kind of misleading when the password expires. End-users get two emails when this happens:
- Password Reset - This is kind of expected. However, the wording within makes it seem like their account was compromised - "This email was sent to you because someone requested a password reset on your account." This can be a bit jarring for end-users.
- Password Changed - This one is even more unexpected. The email contains:
"We wanted to let you know that your user profile has been updated by the administrator.
Your password was changed.
You can sign in at: <Instance URL>
If you think this password update is a mistake, reset your password immediately. If you still need help, please contact our Customer Support team."
Again this seems like their account has been compromised. And why is the administrator resetting their password?? I assume behind the scenes the admin password reset functionality is being used to facilitate the expiry. But I don't think there needs to be a specific email sent to the user in this case.
So with all that in mind, why are there 2 emails being sent out that don't really explain what's going on to the end-user? Really there should just be one email explaining "Your password has expired, please create a new one". If this can't be changed it would be nice to be able to modify the messages being sent to the end-users, like we can with other notifications.