I am looking for pros and cons of asigning passwords to users instead of choosing their own.

The site I am building currently generates a password for users upon registration. The password is emailed to user. The user logs in with password. Typical password: nU2y6&h#Dm5*.

Correct me if I am wrong, but almost every website allows users to choose their own passwords. Google, Yahoo, Facebook, YouTube, Twitter, so on. the first 20 years of the internet people were taught to think of a password they could memorize. I think this is obsolete knowledge. I have 78 different passwords. each of them is complex and stored on paper. My guess here is websites do not want to risk upsetting users by forcing a new complex password on them and that is why they don't do so.

I am looking for pros and cons to this subject. Should I allow users to choose their own or should my site generate a password for them. I will start with a reason.

Con - If I generate password for users, they might blame me if they cannot get it to work.
kadinAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
I am inclined not to use any site that will not let me select my own password. I do not I have any current site where I have not chosen my own password.

I have a scheme for setting passwords. You will not know what that is, but then your password will always be in my way.

I cannot think of any Pros to this one.
0
rindiCommented:
It is always the user that should create his password. The only reason for delivering one to them is for a first time logon, but once logged on it should be mandatory for the user to change it immediately. Your environment also should enforce  a certain password complexity, and it should also require regular password changes.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kadinAuthor Commented:
Thank you both for your responses.

The biggest concern I have is, I thought I read that a whole website is vulnerable to the weakest user password. So if just one person chose a password like - monkey, that would compromise the entire site. I don't know how true this is.

I would think it would be more secure for a website and less work for the user if the website generates a complex password for them rather than forcing the user to create a complex password on their own.

Of course tech guys like us would rather do this ourselves.
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

JohnBusiness Consultant (Owner)Commented:
I am not a web site creator expert but you should be able to secure your website even if I create my own password. Most sites today check password strength (no issue for me), but only one or two enforce change frequency as rindi was suggesting.

A simple password may put the user's information at risk, but should not compromise the entire site. If that were true, all users could compromise your site. You need to put in controls there.

You risk not having many users, I think, because people won't want to pull out a piece of paper every time they wish to use your site. Yes, users can get a password tool but most won't.
0
FrankCrastCo-founder and CEOCommented:
As mentioned previously, websites should ensure new users that register select their own passwords with good security rules in place. I'd recommend enforcing complex passwords and minimum length of 10 characters and a lockout policy for sites hosting sensitive information (like financial or healthcare data). Allowing users to also select a unique login ID instead of their e-mail is also a good practice.

Of course, you have to weigh the pros and cons of user convenience vs. security, but more and more sites are switching to a higher standard when it comes to password management. Even just a couple years ago, many big bank brands didn't support strong passwords. Now many do.

I also like the password strength "calculator" that can be used to show users how strong passwords are without actually enforcing stronger passwords to all. These seem to be effective.

Ensure access is limited to only what's required for that account or their role. Stronger access controls (such as two-factor) should be enforced for administrator or accounts with broader privileges, along with password rotations (e.g., change every 90 days).

In terms of enterprises that need to give out new IDs and access to new employees, I'd recommend having a tool randomly generate a unique, complex password to forward to new employees. Active Directory and most good Identity Management and Access Management tools can help automate the process. Send password and IDs separately as well and ensure users are forced to "change password upon first logon." This is important to ensure accountability and legal protections (e.g., an admin didn't "steal" a user's password to gain unauthorized access).
0
rindiCommented:
I agree with the above, normally your password setting software can enforce password complexity, which means you need special characters, low and high case letters, and a certain password length. If your password doesn't follow those rules, you can't set and use it.
0
kadinAuthor Commented:
Thank you all for your help.
0
JohnBusiness Consultant (Owner)Commented:
@kadin  - You are very welcome and I was happy to help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.