Is automatically generating passwords during registration a good idea?
-
09-10-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm developing a registration system for a project I'm working on.
Since users tend not to sign up if the process is too long, I've thought to require (at least initially) just their email, where I would send them their automatically generated password (and that would also allow me to verify their email address). That would also prevent them from choosing a weak password in order to complete the registration fast.
I haven't found any downsides so far, but I'm afraid there are some as I've never seen a site using this system.
Is that a good idea?
PS: of course I'm also implementing sign up via Facebook and other similar services to allow people to sign up fast without the need of a password, but many may want to choose the classic sign up for privacy concerns or because they don't use any of those services.
Solution
The problem is that a password should appear in plain text as rarely as possible.
In your case, the password appears in plain text in an e-mail. This has several drawbacks:
If the account of the person is compromised, the hacker gets access to your website as well.
If there is a malicious man in the middle, he can access the password with ease.
Moreover:
- Auto-generated passwords are difficult to remember, so instead of making the life easier for your users, you are making it more difficult and at the same time encourage to write down the password on a Post-it, which may not be the best thing in terms of security.
This is why most websites which generate such passwords during registration make them one-use passwords. In other words, the user receives an e-mail with a random password, but once he uses it to log in, the website immediately asks for the new password chosen by the user, preventing the three drawbacks mentioned above.
OTHER TIPS
Honestly, there is not much value to it.
1) Most people use their own password that they remember. If they do, then making them change their password will take longer than filling up an extra field during registration.
The benefit of your system may be that by then the user is registered so you'll not lose it.
2) If they use a password manager it is easier to just make the password manager fill in their preferred username and a random password with 1 click than having to edit the file afterwards and inserting your generated password (likely to take 3 or 4 clicks extra).
3) The current system is so widely used that some people will be confused by the lacking of a password field (like I did with google, but it's google and I trust it).
