Separate "Set/Reset Password" from "Change Password"

Summary:
See PHI223. Ref T13024. There's a remaining registration/login order issue after the other changes in T13024: we lose track of the current URI when we go through the MFA flow, so we can lose "Set Password" at the end of the flow.

Specifically, the flow goes like this today:

• User clicks the welcome link in email.
• They get redirected to the "set password" settings panel.
• This gets pre-empted by Legalpad (although we'll potentially survive this with the URI intact).
• This also gets pre-empted by the "Set MFA" workflow. If the user completes this flow, they get redirected to a /auth/multifactor/?id=123 sort of URI to highlight the factor they added. This causes us to lose the /settings/panel/password/blah/blah?key=xyz URI.

The ordering on this is also not ideal; it's preferable to start with a password, then do the other steps, so the user can return to the flow more easily if they are interrupted.

Resolve this by separating the "change your password" and "set/reset your password" flows onto two different pages. This copy/pastes a bit of code, but both flows end up simpler so it feels reasonable to me overall.

We don't require a full session for "set/reset password" (so you can do it if you don't have MFA/legalpad yet) and do it first.

This works better and is broadly simpler for users.

Test Plan:

• Required MFA + legalpad, invited a user via email, registered.
  • Before: password set flow got lost when setting MFA.
  • After: prompted to set password, then sign documents, then set up MFA.
• Reset password (with MFA confgiured, was required to MFA first).
• Tried to reset password without a valid reset key, wasn't successful.
• Changed password using existing flow.
• Hit various (all?) error cases (short password, common password, mismatch, missing password, etc).

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13024

Differential Revision: https://secure.phabricator.com/D18840