Setup: Forms 9i, 9iDB

Is anyone aware of a simple way or simpler/safer than my thoughts below for a user to update an expired oracle password from a forms app? Here is what I am doing now.

In my forms app I create a user using dynamic sql thus:
CREATE USER "'||employee_id||'"'||
' IDENTIFIED BY mdm_new PROFILE mdm_member '||
' DEFAULT TABLESPACE DATA'||
' TEMPORARY TABLESPACE TEMP'||
' PASSWORD EXPIRE'||
' ACCOUNT UNLOCK';

The mdm_member profile is defined thus:
CREATE PROFILE mdm_member LIMIT
PASSWORD_LIFE_TIME 80
PASSWORD_GRACE_TIME 10
PASSWORD_REUSE_MAX 3
FAILED_LOGIN_ATTEMPTS 3;

In a normal sequence when a password has expired and the grace period entered the app can detect this and allow a user to update their password. Put if the user is created with "PASSWORD EXPIRE" it does not appear that the grace period comes into play. It seems like a bug but I did not see any current issues on MetaLink. I do not have a real good record when it comes to searching for info so if you find something please tell me. If I am doing something wrong above I know you all will tell me also.

Any way:
If the connect fails there is no connection made (like SQLPlus) that allows you to input a new password.

Here are the approaches I have considered:

1) Create a specialized user account that has ONLY connect and alter any user privs. Behind the scenes connect as that user when an expired password is detected. After the password is changed reconnect as the "real" user before proceeding. This seems to have some security issues but ...

2) Create a specialized profile like:
CREATE PROFILE new_user LIMIT
PASSWORD_LIFE_TIME 1/1440
PASSWORD_GRACE_TIME 10
PASSWORD_REUSE_MAX 3
FAILED_LOGIN_ATTEMPTS 3;

This saves needing to use "PASSWORD EXPIRE" (the password expires 1 minute after the user is created) and this method does seem to invoke the grace period. But then I need to assign them the "real" profile as soon as they changed their password. In practice I would probably just assign them the default password whenever their password changes. This seems the safest but I am open to suggestions.