[DanBC]

For most of your users creating a new password will be much less secure than giving them a password.

> B. Minimum password length/complexity. It's not hard to do.

It is hard to do. That's why so many people reuse passwords, or have hopelessly weak passwords. (Some word with a few vowels swapped for digits, or some word with two digits tacked on the end.)

I agree that sending passwords over email is sub-optimal, but the solution is not to surprise users with a password creation screen.

[sunchild]

Are you taking the position that only auto-generated passwords can be secure? I'm trying to understand what conclusion to draw from your comment.

My point was that imposing length validations on passwords is not hard. Complexity validation, while more difficult, is also not exactly a novel problem.

I feel like I'm in bizarro-world with all these people telling me that sending a plaintext password via email is more secure than giving users the option to follow an authenticated link to create their own password because...users can't be trusted to choose good passwords?! Really?

[DanBC]

What are the risks for each situation?

Users are hopeless at creating secure passwords. They are especially hopeless at creating secure passwords if you suddenly present them with a password creation screen.

Adding complexity generation does not help. If anything, it makes things worse. People use stupid weak passwords, often re-using them across different websites. They'll do simple substitutions of digits for vowels, or they'll use one word with a couple of digits stuck on the end.

Complexity validation gives a false sense of security.