Look into directing a user to update their password

[NightJar]

As per @sminnee's comment

We’d also want to think about the UX for if someone logs in with a no-longer-compliant password. Do we force a reset?

We currently do not force a reset (to my knowledge). The flow could be evaluated on submission of the password before hashing, setting a flag to update iff (if and only if) that should lead to a successful logging-in.

I worry that this may appear to a semi-savvy user that the password is not stored securely ("how would they know what my password is to say that?"), so I think there would be some communication with whatever method this is communicated through to the user.

@clarkepaul @newleeland may be interested in this flow.

[robbieaverill]

I guess you could check the strength of the password against the current rules when a user successfully logs in, then redirect them to change password instead of the default login destination

[clarkepaul]

Sounds good, if there is a change to the compliance criteria—we could show a notification for them to update their password. We can keep on showing the notification until they actually reset it, don't know if we need to go to the enforce route?