If a client initially authenticates with an external source such as Google+,
the user should still have the ability to set a password via the password
reset mechanism.