Maybe this helps you?
https://stackoverflow.com/questions/4267285/redirect-user-after-first-login-in-wordpress
He seems to had a similar problem and solved it a year ago.
What he does different to your approach is redirecting 48hrs after registration.
Maybe this is enough?
If not – I’m looking to do it your way.
— EDIT
Okay I just made a plugin what does exactly what you want:
/*
Plugin Name: Redirect Passwort
Plugin URI: TODO
Description: TODO
Author: xaeDes
Version: 0.1
Author URI: TODO
License: GPL2
*/
function redirect_passwort_profile_update($user_id, $old_user_data) {
$user = new WP_User( $user_id );
if( $user->data->user_pass != $old_user_data->user_pass) {
//password has changed
update_metadata("user",$user_id,"changed_password",true);
}
}
add_action("profile_update", "redirect_passwort_profile_update", 10, 2);
function redirect_passwort_login_redirect($redirect_to, $url_redirect_to = '', $user = null) {
if( isset($user->ID) ) {
$changed_password = get_metadata("user", $user->ID, "changed_password",true);
if( $changed_password != true ) {
return get_bloginfo('url') . "/change-your-password-dude/";
} else {
return $redirect_to;
}
}
}
add_filter('login_redirect', 'redirect_passwort_login_redirect',10,3);
function redirect_passwort_password_reset( $user ) {
//password has been reset to a random one. so the changed_password meta data should be reset as well
if( isset($user->ID) ) {
delete_metadata("user", $user->ID, "changed_password");
}
}
add_action('password_reset', 'redirect_passwort_password_reset');
It adds a user meta data “changed_password” to the user who changed its passwort.
When logging in it checks whether the user meta data “changed_password” is set and redirects if it is not set (and therefore the user has not changed its passwort even once).
When the users password is reset to a random one, the user meta data “changed_password” is reset as well.