User Registration Experience: Email Generated Password?

Question

I'm developing an web app and I'm doing my best to get users (actually approaching them on the street...its a local thing.) and one consistent thing that's been a complaint is that people hate registering so I'm trying to get the info down to the bare minimum.

I want to have an email as the only form, and then generate their password and send it via email for them to activate later. This isn't exactly a standard practice but I can't think of anything that can go wrong with it.

Am I missing something?

Answer 1

I can think of two things. The more important one is that a generated password may be less guessable than a user-entered password, but it's also 100% forgettable. You will be dealing with a lot of password resets, which will be hard if the only other bit of information you have is email address.

Sending a password in email exposes it to anyone who has access to the registrant's email account: spouse, SO, roommate, ISP, NSA, etc. In your case, this may be the lesser of the two problems.

So, let 'em enter a password, even if that seems less "secure." And, no matter where the password comes from, be sure you store it properly: http://bitmonger.blogspot.com/2012/07/six-simple-rules-for-secure-storage-of.html

Edited to add: If you were going to send a one-time password and let them change it, send a link instead. It's easier to understand. Also, no matter how you end up doing the initial sign-up, you need a "click this" link before you send any more email, lest other people "help their friends get more email" by signing them up.