set the password on their ssl key to something they know, so if they
download it, they can use it. But we do not want Geni User to login
directly (cause now they know their password), so watch for that on
the regular login path and deny it. Also, since the Geni user will not
know their password initially, do not require the current password
for the first password change, but it is required after that.