If you are using a force.com site and you are trying to use a custom change password page, it is a nightmare to debug issues where salesforce has zero documentation on it. I created a custom change password page and here are the steps to do it for any project.
Moments of truth.
A. Site.changepassword will only work if the user is logged in and so never ever try to test this method with anonymous users or guest user. To make the method work,you have to implement site.login method which would allow the user to login and create a session.
b. Never create site.login and site.changepassword in the same transaction or same request . This does not work if you have one method doing both calls at the same time. Do the site.login first and redirect to a custom change password page where you would have the user to enter old and new password.
c. System.setpassword does not work on force.com sites pages at the moment.
How do you do it.
a. Create a visual force page ForgotUsername where you would allow the user to enter the user name .
b. The controller for ForgotUsername would validate the user name and should call Site.Forgotpassword which would trigger an email with a temporary password to the user.
c. Create a confirmation page which would tell the user to check his email on temporary password.
d. Next login to your org and to the site settings page and click on Login setting and change the password page to a custom visual force page which we would call ChangePwd.
e. On the ChangePwd page, create 3 text boxes for typing old password, new password and confirmation.
f. Now the user would login with his user id and temporary password. Salesforce would redirect the user to ChangePwd page where the user can enter his temporary password, new password and confirmation. The only pain is that the user has to enter the temporary password again on this page and if you want you can store this in a custom object and delete it after change password confirmation This way , we can display the old password again.
g. On the ChangePwd page, read the passwords and call Site.ChangePassword with old and new passwords . You would recieve a page reference which would be the starting url parameter which you specified on the login method.
h. Now if you check the user detail screen, you should see a time stamp change on the last password update time stamp.
So using the above techniques, you can allow users to create a custom change password page from scratch. Feel free to post your comments on this and i will follow up with some sample code in the next blog.