This is less of a question, but more of a problem I encountered today while trying to buy something in an online shop. After being prompted to login (as always), I was prompted with a new page that proposed to me to pick a new password and to confirm it. The argumentation is "to keep you safe".
One does not have to be an UX designer to see that this is very obviously very bad practice, especially without any further information provided. It looks scammy, and when I checked the URL it seems that it was indeed from the official paypal website. When checking the console errors for any signs of a MitM attack, you're prompted with TypeScript index errors.
As if this was not enough, I did indeed change my password, made my purchase and was done with it. For my own sanity I wanted to double check and reset my password again - in the official UI which I've known for a long time - only to be prompted after the successful login to RESET MY PASSWORD AGAIN, with the same dialogue. I'm obviously venting and quite angry that a company that I'm trusting with my money can't seem to handle basic authentication. A parallel issue I discovered is that some special characters are not even allowed to use (like '<' or '>'). Makes me wonder how you santize your inputs...
I usually never post these issues but as a user that wants to feel safe when handling my money online I feel like this post should be searchable so people know they're not alone with that feeling.
As I don't want to be that guy that only complaints - please IF this is really necessary for people to change their password, please make it either optional and forward user to your official password reset site and check when this option should trigger, as these bugs really take away from our trust in you as a company to handle our finances.
