[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 303
  • Last Modified:

I am looking for pros and cons of asigning passwords to users instead of choosing their own.

The site I am building currently generates a password for users upon registration. The password is emailed to user. The user logs in with password. Typical password: nU2y6&h#Dm5*.

Correct me if I am wrong, but almost every website allows users to choose their own passwords. Google, Yahoo, Facebook, YouTube, Twitter, so on. the first 20 years of the internet people were taught to think of a password they could memorize. I think this is obsolete knowledge. I have 78 different passwords. each of them is complex and stored on paper. My guess here is websites do not want to risk upsetting users by forcing a new complex password on them and that is why they don't do so.

I am looking for pros and cons to this subject. Should I allow users to choose their own or should my site generate a password for them. I will start with a reason.

Con - If I generate password for users, they might blame me if they cannot get it to work.
0
kadin
Asked:
kadin
  • 3
  • 2
  • 2
  • +1
3 Solutions
 
John HurstBusiness Consultant (Owner)Commented:
I am inclined not to use any site that will not let me select my own password. I do not I have any current site where I have not chosen my own password.

I have a scheme for setting passwords. You will not know what that is, but then your password will always be in my way.

I cannot think of any Pros to this one.
0
 
rindiCommented:
It is always the user that should create his password. The only reason for delivering one to them is for a first time logon, but once logged on it should be mandatory for the user to change it immediately. Your environment also should enforce  a certain password complexity, and it should also require regular password changes.
0
 
kadinAuthor Commented:
Thank you both for your responses.

The biggest concern I have is, I thought I read that a whole website is vulnerable to the weakest user password. So if just one person chose a password like - monkey, that would compromise the entire site. I don't know how true this is.

I would think it would be more secure for a website and less work for the user if the website generates a complex password for them rather than forcing the user to create a complex password on their own.

Of course tech guys like us would rather do this ourselves.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
John HurstBusiness Consultant (Owner)Commented:
I am not a web site creator expert but you should be able to secure your website even if I create my own password. Most sites today check password strength (no issue for me), but only one or two enforce change frequency as rindi was suggesting.

A simple password may put the user's information at risk, but should not compromise the entire site. If that were true, all users could compromise your site. You need to put in controls there.

You risk not having many users, I think, because people won't want to pull out a piece of paper every time they wish to use your site. Yes, users can get a password tool but most won't.
0
 
FrankCrastCommented:
As mentioned previously, websites should ensure new users that register select their own passwords with good security rules in place. I'd recommend enforcing complex passwords and minimum length of 10 characters and a lockout policy for sites hosting sensitive information (like financial or healthcare data). Allowing users to also select a unique login ID instead of their e-mail is also a good practice.

Of course, you have to weigh the pros and cons of user convenience vs. security, but more and more sites are switching to a higher standard when it comes to password management. Even just a couple years ago, many big bank brands didn't support strong passwords. Now many do.

I also like the password strength "calculator" that can be used to show users how strong passwords are without actually enforcing stronger passwords to all. These seem to be effective.

Ensure access is limited to only what's required for that account or their role. Stronger access controls (such as two-factor) should be enforced for administrator or accounts with broader privileges, along with password rotations (e.g., change every 90 days).

In terms of enterprises that need to give out new IDs and access to new employees, I'd recommend having a tool randomly generate a unique, complex password to forward to new employees. Active Directory and most good Identity Management and Access Management tools can help automate the process. Send password and IDs separately as well and ensure users are forced to "change password upon first logon." This is important to ensure accountability and legal protections (e.g., an admin didn't "steal" a user's password to gain unauthorized access).
0
 
rindiCommented:
I agree with the above, normally your password setting software can enforce password complexity, which means you need special characters, low and high case letters, and a certain password length. If your password doesn't follow those rules, you can't set and use it.
0
 
kadinAuthor Commented:
Thank you all for your help.
0
 
John HurstBusiness Consultant (Owner)Commented:
@kadin  - You are very welcome and I was happy to help.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now