diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java
index b3dc0151b..32eb67034 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java
@@ -13,6 +13,7 @@ import java.util.List;
 import java.util.Map;
 
 import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
@@ -53,6 +54,9 @@ public class Authenticate extends FreeMarkerHttpServlet {
 	/** The confirm password field on the password change form. */
 	private static final String PARAMETER_CONFIRM_PASSWORD = "confirmPassword";
 
+	/** If this parameter is "true" (ignoring case), cancel the login. */
+	private static final String PARAMETER_CANCEL = "cancel";
+
 	/** If they are logging in, show them this form. */
 	public static final String TEMPLATE_LOGIN = "login-form.ftl";
 
@@ -92,9 +96,13 @@ public class Authenticate extends FreeMarkerHttpServlet {
 				}
 				break;
 			case FORCED_PASSWORD_CHANGE:
-				user = checkChangeProgress(vreq);
-				if (user != null) {
-					recordSuccessfulPasswordChange(vreq, user);
+				if (checkCancel(vreq)) {
+					recordLoginCancelled(vreq);
+				} else {
+					user = checkChangeProgress(vreq);
+					if (user != null) {
+						recordSuccessfulPasswordChange(vreq, user);
+					}
 				}
 				break;
 			default:
@@ -109,6 +117,9 @@ public class Authenticate extends FreeMarkerHttpServlet {
 			case LOGGED_IN:
 				redirectLoggedInUser(vreq, response);
 				break;
+			case CANCELLED:
+				redirectCancellingUser(vreq, response);
+				break;
 			default:
 				showLoginScreen(vreq, response);
 				break;
@@ -176,6 +187,23 @@ public class Authenticate extends FreeMarkerHttpServlet {
 		}
 	}
 
+	/**
+	 * Are they cancelling the login (cancelling the first-time password
+	 * change)? They are if the cancel parameter is "true" (ignoring case).
+	 */
+	private boolean checkCancel(HttpServletRequest request) {
+		String cancel = request.getParameter(PARAMETER_CANCEL);
+		log.trace("cancel=" + cancel);
+		return Boolean.valueOf(cancel);
+	}
+
+	/**
+	 * If they want to cancel the login, let them.
+	 */
+	private void recordLoginCancelled(HttpServletRequest request) {
+		getLoginProcessBean(request).setState(State.CANCELLED);
+	}
+
 	/**
 	 * They are changing password. Are they successful?
 	 */
@@ -249,7 +277,7 @@ public class Authenticate extends FreeMarkerHttpServlet {
 
 		// Get a fresh user object, so we know it's not stale.
 		User user = getUserDao(request).getUserByUsername(username);
-		
+
 		HttpSession session = request.getSession();
 
 		// Put the login info into the session.
@@ -301,6 +329,20 @@ public class Authenticate extends FreeMarkerHttpServlet {
 		return;
 	}
 
+	/**
+	 * User cancelled the login. Forget that they were logging in, and send them
+	 * to the home page.
+	 */
+	private void redirectCancellingUser(HttpServletRequest request,
+			HttpServletResponse response) throws IOException {
+		// Remove the login process info from the session.
+		request.getSession()
+				.removeAttribute(LoginProcessBean.SESSION_ATTRIBUTE);
+
+		log.debug("User cancelled the login. Redirect to site admin page.");
+		response.sendRedirect(getHomeUrl(request));
+	}
+
 	/**
 	 * User is logged in. They might go to:
 	 * <ul>
@@ -462,6 +504,11 @@ public class Authenticate extends FreeMarkerHttpServlet {
 		return contextPath + Controllers.SITE_ADMIN + urlParams;
 	}
 
+	/** What's the URL for the home page? */
+	private String getHomeUrl(HttpServletRequest request) {
+		return request.getContextPath();
+	}
+
 	/**
 	 * What portal are we currently in?
 	 */
@@ -551,4 +598,10 @@ public class Authenticate extends FreeMarkerHttpServlet {
 		jenaOntModel.getBaseModel().notifyEvent(event);
 	}
 
+	@Override
+	public void doGet(HttpServletRequest request, HttpServletResponse response)
+			throws IOException, ServletException {
+		doPost(request, response);
+	}
+
 }
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/login/LoginProcessBean.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/login/LoginProcessBean.java
index c20846b55..79e32aa5a 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/login/LoginProcessBean.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/login/LoginProcessBean.java
@@ -16,7 +16,7 @@ public class LoginProcessBean {
 			.getName();
 
 	public enum State {
-		NOWHERE, LOGGING_IN, FORCED_PASSWORD_CHANGE, LOGGED_IN
+		NOWHERE, LOGGING_IN, FORCED_PASSWORD_CHANGE, CANCELLED, LOGGED_IN
 	}
 
 	private enum MLevel {
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/login/LoginTemplateHelper.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/login/LoginTemplateHelper.java
index 640154935..a31740025 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/login/LoginTemplateHelper.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/login/LoginTemplateHelper.java
@@ -43,6 +43,7 @@ public class LoginTemplateHelper extends LoginTemplateHelperBase {
 	public static final String BODY_INFO_MESSAGE = "infoMessage";
 	public static final String BODY_ERROR_MESSAGE = "errorMessage";
 	public static final String BODY_ALERT_ICON_URL = "alertImageUrl";
+	public static final String BODY_CANCEL_URL = "cancelUrl";
 
 	/** Use this icon for an info message. */
 	public static final String URL_INFO_ICON = "/images/iconAlert.png";
@@ -108,7 +109,7 @@ public class LoginTemplateHelper extends LoginTemplateHelperBase {
 
 	/**
 	 * The user has given the correct password, but now they are required to
-	 * change it.
+	 * change it (unless they cancel out).
 	 */
 	private TemplateResponseValues showPasswordChangeScreen(VitroRequest vreq) {
 		LoginProcessBean bean = getLoginProcessBean(vreq);
@@ -118,6 +119,7 @@ public class LoginTemplateHelper extends LoginTemplateHelperBase {
 		TemplateResponseValues trv = new TemplateResponseValues(
 				TEMPLATE_FORCE_PASSWORD_CHANGE);
 		trv.put(BODY_FORM_ACTION, getAuthenticateUrl(vreq));
+		trv.put(BODY_CANCEL_URL, getCancelUrl(vreq));
 
 		String errorMessage = bean.getErrorMessage();
 		if (!errorMessage.isEmpty()) {
@@ -186,6 +188,14 @@ public class LoginTemplateHelper extends LoginTemplateHelperBase {
 		return contextPath + "/authenticate" + urlParams;
 	}
 
+	/** What's the URL for this servlet, with the cancel parameter added? */
+	private String getCancelUrl(HttpServletRequest request) {
+		String contextPath = request.getContextPath();
+		String urlParams = "?home=" + getPortalIdString(request)
+		+ "&login=block&cancel=true";
+		return contextPath + "/authenticate" + urlParams;
+	}
+	
 	/**
 	 * What portal are we currently in?
 	 */
diff --git a/webapp/web/templates/freemarker/body/login/login-forcedPasswordChange.ftl b/webapp/web/templates/freemarker/body/login/login-forcedPasswordChange.ftl
index 2082b8e05..75758301d 100644
--- a/webapp/web/templates/freemarker/body/login/login-forcedPasswordChange.ftl
+++ b/webapp/web/templates/freemarker/body/login/login-forcedPasswordChange.ftl
@@ -22,5 +22,6 @@ ${stylesheets.addFromTheme("/login.css")}
               <input id="confirmPassword" type="password" name="confirmPassword"  />
               <input name="passwordChangeForm" type="submit" class="submit" value="Save Changes"/>
        </form>
+       <a href="${cancelUrl}">Cancel</a>
 </div>