[gluczywo]

systems should probably not let users pick their passwords. That is they get to pick a generated password (by the system)

It implies that the system knows plaintext password. Even if the system deletes the password and keeps a hash, it remains the problem of distributing that password to the client in a secure way.

[nickodell]

Most services don't hash the password before sending it to the service, so it's going to pass through the service at some point.

[gluczywo]

You are right. The second point remains valid though.

[andreareina]

If the client can securely transmit the password to the system for verification, the system can securely transmit it to the user in the first place.

[drdaeman]

Absolute majority of systems know the plaintext password on sign-up and subsequent logins. Don't think SRP or any similar protocols are any common.

[remus]

Depends on the system. If it's a website of some description you could always generate the password in the clients browser. Obviously you'd then need to be pretty careful to generate your suggested passwords in a secure way, because any attacker would have visibility of your password generating system.

[nmat]

>It implies that the system knows plaintext password

No it doesn't, the password can be generated client side. I know that client side code is not safe, but the purpose here is to protect people who are not tech savvy enough to figure that out.

[hueving]

>it remains the problem of distributing that password to the client in a secure way.

That's no different. It uses the same channel the user would send the password to it.

[gluczywo]

With the difference that when user types the password it is not displayed on the screen. Server-side generated password must be somehow presented to the user.