2👍
In short, yes.
You need to know which users need to change their password. If you don’t want to use a custom User model, I would recommend having another model to store the users that need to change their password. You would add the users to this table upon user registration/creation.
Then you could write a very simple middleware to check the current logged user (place it after AuthenticationMiddleware in your settings.py). If the user is flagged as requiring a password change, you could force a HttpResponse (in the middleware) to a custom view with a PasswordChangeForm (which comes out of the box in Django, in django.contrib.auth.forms.PasswordChangeForm), after which you could remove the flag to the user, and redirect them to the home page.