Are you using the database-based security mechanism built into Portal? If so, then before the user can login, the user must register and provide a password as part of that registration. Would that not qualify as "changing the password on first login" as required by ISO 9001? I know that the inspectors can be a little anal, but it is worth asking. Usually the "change password" requirement assumes that someone else, such as the Portal or a Portal admin, created the login id along with a temporary password. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4154329#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...