When you create a SQL Server login (with SQL authentication), you have the option of enforcing password policies from Windows (in SQL Server 2005 and above).
The recommendation is that you check all three and force strong passwords. You also force a password change so the person has a private password not known by the administrator.
If you go back into this account later, and look at the boxes, only 2 are available to be checked. The “User must change password at next login” is grated out.
In order to access this box and force a password change, you need to change the password. The reason is that if the account is compromised, the hacker should not be the one to set a new password. The security model assumes the administrator can contact the legitimate owner offline and give them the new password.
Start typing in the password box, and you can check the box:
Of course you need to set a password that conforms to the policies, and it needs to match the confirm edit box