The system should programmatically choose a new temporary password and
should send it to the user, with a note reminding them to change it
immediately. The administrators should not have direct access to the
temporary or user-selected passwords.
Functions that the administrators are able to perform on behalf of
users should be done via their own login credentials, so the actions
can be distinguished from the user's.