Switch normal use to using 'force_random_password'

Changes proposed in this pull request:

• remove ability to directly set user password
• add ability to use force_random_password for creating new users
• ignore changes to password fields to prevent deleting and recreating users (footgun protection)

Things to check

• For any logging statements, is there any chance that they could be logging sensitive data?
• Are log statements using a logging library with a logging level set? Setting a logging level means that log statements "below" that level will not be written to the output. For example, if the logging level is set to INFO and debugging statements are written with log.debug or similar, then they won't be written to the otput, which can prevent unintentional leaks of sensitive data.

Security considerations

More secure, as we've eliminated the ability to insecurely set user passwords.