On occasion we want to create a user account for important users who we've been in touch with in advance.
When they then visit our site, the ideal UX scenario is that they complete a third party form (generated by HelloSign) first, and change their password second.
Is there a good way to do this? I looked at eg this thread on sending an initial password via email, which is the solution that first occurred to me. The top-voted response recommends against the practice in favour of getting a log in/reset link, but as far as I understand, the point of doing it via token would be to prevent any other activity before the password has been changed. Is there any secure alternative?