Suggested by hanoii in #1332000-20: Feature to exclude pages from force password change:

One addition though, might be good to add file/ajax/* to the default value for the new configuration setting, as it can be present on the user profile if it uses the default user picture.

I worry though that that path is used for more than just the user pictures, and that it could give some access to a user who is not supposed to be able to access the site beyond the password change page.