Should I use two steps or one when users change password?

Definitely go with one step. The three field Old password, New Password, Repeat password form is a convention to boot. Two steps is just asking for trouble security and usability-wise. +1 two step can be significantly less secure.

1. How often is it recommended to change the user password?
2. Why do administrators ask users to change their password during the first login?
3. Should users be forced to change passwords?
4. Which password practice creates the most risk for compromising an account?

How often is it recommended to change the user password?

Cybersecurity experts recommend changing your password every three months. There may even be situations where you should change your password immediately, especially if a cybercriminal has access to your account.

Why do administrators ask users to change their password during the first login?

Forcing users to select their own password at initial logon, (the first time they authenticate), ensures that NOBODY else knows the password for the account once it has been changed. This is a control process called single-control.

Should users be forced to change passwords?

For all these reasons, forcing users to change their passwords regularly or implementing rigid policies about password length and complexity just don't work. And that's why NIST and even large enterprises like Microsoft do not recommend mandating periodic password changes.

Which password practice creates the most risk for compromising an account?

Reuse of passwords across multiple sites: When one data breach compromises passwords, that same login information can often be used to hack into users' other accounts. Reusing passwords for email, banking, and social media accounts can lead to identity theft.