As I can see with my 6.0.7 Pro server version, when a local user (no LDAP or Shibboleth) authenticate for 1st time, he need to change his password. But he can chose the same password… the same thaht he received by email etc…
I think it would be great to add a verification to forbid this kind of behavior.
Maybe it’s already done in new versions ? but I see nothing in changelog about that.