PHP Registration: Auto-generate password or let user choose it

Question

During registration, I'm debating how I should set user password:

• Let the user choose it. If I do this, I have to enforce some standards (length, weakness, may involve regexes, etc.) What do you normally do when you choose this way and why? Is there a library available for PHP for this?

• Auto-generate the password for the user and email it to them to the email they provided. They can't log in without getting the password so it's email verification too. Problem is the password may be too difficult for the user to remember. If I allow them to change it to something easier, that defeats the purpose of me choosing it for them in the first place. I'm also worried about the act of transmitting the password (as plain un-hashed password) in an email.

I'm leaning towards the second, but would prefer a more informed answer before choosing. There are probably things I'm not paying attention to like user convenience and other technical issues too. What do you do?

Edit: Based on the answers, I'm going with the first option then, letting the user choose. My question would then be, what password strength/length/etc. should I require, and how do I enforce it? Are there PHP libraries available for that?

Answer 1

here the code to generate Password with alphanumaric values

function genRandomString() {
        $length = 8;
        $characters = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
        $string = "";    

        for ($p = 0; $p < $length; $p++) {
            $string .= $characters[rand(0, strlen($characters))];
        }

        return $string;
    }

you do the following

$mailPass =genRandomString();

Answer 2

I think there is only one answer to this. Let the user make her own password! Everything else is programmer lazyness and bad interaction design and customer friendlyness (IMO).

Now I'd see a few exceptions, namely if it is some kind of low-importance intranet system with only a handfull of users who agree to this or if it is a one-shot account which people won't need to login later on.

You need to hash&salt your passwords anyways, even if you generate them yourself. All you need to add, is some validation rules at the first submit of the user. That's probably even easier to make than a good password generation tool.

Password strength

A link to a post about 10 password strength meters

Answer 3

PHP password strength. This page has some basic code that's clean code so you should be able to modify it to suit your needs. Based on code from: http://www.tutorialtoday.com/read_tutorial/113/

Tests for lowercase / uppercase / numbers / nonword / at least 8 chars. If all of the conditions are met strength will be equal to 5.

$password = **HOW YOU GET THE PASS***($_POST['pass'])????; 
    $strength = 0; 
    // letters (lowercase) 
    if(preg_match("/([a-z]+)/", $password)) { 
        $strength++; 
    } 
    // letters (uppercase) 
    if(preg_match("/([A-Z]+)/", $password)) { 
        $strength++; 
    } 
    // numbers 
    if(preg_match("/([0-9]+)/", $password)) { 
        $strength++; 
    } 
    // non word characters 
    if(preg_match("/(W+)/", $password)) { 
        $strength++; 
    } 
   // longer than 8 characters
    if(strlen($password) > 8)) { 
        $strength++; 
    } 


    if ($strength >= 5)
      print "woo hoo";
    else
      print "bah";

Answer 4

You could always suggest a random password if the user's imagination suddenly turns blank. Of course you made sure the generated password is "strong" (according to your rules), and you would have a "suggest a new password"-button.

Users that don't want complicated passwords or unique passwords for different sites will always change to the one they would have picked if you would have let them in the first place. In this case, you made them impatient because you:

• sent out a valid password/activation code in an email
• made them check their email inbox (and perhaps wait for your email to arrive)
• made them change their password

Final advice: rather than forcing; encourage and emphasize the importance of a size password. The password-strength meter is one of the fun ways to do this.

Answer 5

Personally I find it very irritating when access passwords are emailed as cleartext into the wild. Moreover, the user will in any case have the ability to change the password (I hope) and will therefore change it to something else than what you have generated. Thus, why not allow the user to pick a password he/she wants at registration time? Of course, it is neccessary to indicate weak passwords (and even maybe disallow their usage as a whole), but you do not really have to code the heart of this check, as there are dozens of ready-made js libraries that can do this for you.