Is it better to Auto-Genarate your New Member's User/Password?
 

Please vote.

The advantage of auto-gen is, its a strong password vs. they usually choose a easy one which gets hacked.
:2 cents:

yes

45678

I hate auto-generated passwords... just more crap I have to hunt down and change. If a site auto generates my pass, and also requires an email confirmation link I need to click, I hate the site. Email confirmation is one thing, but I can't see how auto-generating something I should create myself; my login credentials, regardless of how retarded they may be, should be left up to me.

Really, how is "asd%$#908sd!!" as a password different from "fuck" when both can get posted somewhere or pasted into a scraper?

right from the horses mouth! nice! :thumbsup

since people tend to use the same passwords everywhere only one security breach on one site can compromise all other sites where that person signed up. it's pretty common to try out existing user/pass combinations.
does not prevent posting of user/pass somewhere, but decreases the chances of password hacks

Technically yes, practically no :)

You could let them generate the password themselves and then auto-expire every 30 days to protect from content theivin... :2 cents:

would increase support tickets of people wondering why their pass doesnt work

Auto Gen :)

That's a very good point.

Then again, what is one trying to protect: user stupidity or content of a site the user joins up with? As we all know, "security is a myth". Does one make the user jump through hoops to join, or just let the user in. One can even implement a solution that keeps track of logged in accounts and denies subsequent logins from the same account if a threshold is met. Then you run into dumb users sharing their logins and not realizing they were stupid and you have a help desk issue as Manowar pointed out.

I've got no answers. I just hate auto-generated passes.

I just hate auto-generated passes when I'm the one getting them

I wish we didn't have to auto generate as I hate it too, but honestly people pick fucking retarded user / pass combo. Just stupid. lol

auto gen with RoboForm or 1Password(mac). That way all your passwords are different but you have 1 master to access/fill

It is different since "fuck" will be more likely to be included in a brute force attack on a site
on the other hand "asd%$#908sd!!" is unlikely to be on a brute force attack.

About sums it up.
Makes it harder for brute shit, and for username/passwords being compromised at one site and then the person gets nailed everywhere else on top of it for using the same ones.

Just remind the people to click the save log in detail box or whatever.

Roboform :thumbsup

Depends on the type of site, e.g a dating site, allow users to enter thier own, as getting onto the site is part of the sales funnel, and you don't want to loose a customer when they can't remember a pass and thier email is bolloxed. For a paysite, I would autogen to ensure that its strong.

Isn't that the truth - we went to auto generated passwords about two years ago - we get the occasional help desk request for a lost password but it hasn't been a real problem.

Gen is best to get a strong pass word but you can also require a 8 character pass word
and this increases the pass word strength.

However when the user creates the pass word the pass word traders can sometimes
be spotted right away by the pass word they chose.

When a join comes in and the pass word is "123456" I just immediately delete the
user and issue a refund. It's going to chargeback/bounce anyway so just kill the account
before that happens.

I wouldn't catch those if I generate the password myself.

Wow! this is a good one! :disgust

Letting users choose their own passwords sucks because so many choose "password"
for their password, or something equally as easy to guess. A great many will choose
a dictionary word or a variation on a dictionary word, such as adding a single digit to
the end, so that's easy for the bad guys to guess.

Typical auto generated passwords suck because "Ad%O$#908sD^!" is very hard to
remember and easy to mistype. We found another approach which doesn't suck, and
we made a free online tool for anyone who wants to use it. We generate passwords which
LOOK like English words, so they are very easy to type and aren't too hard to remember.
They are NOT actually words, though, so they won't be in the cracker's dictionary.
Examples are frucspin and relitemer . The free tool to generate these can be found at:
http://www.bettercgi.com/strongbox/passgen/

its not about random or not random if you use protection as strongbox. random passes are good for sites that cannot afford sb, pennywize or some ip blocking software ... but users dont like it ... even if you have hole in system and their random passes are "hacked" ... its not about random or not ... :2 cents:

Autogenerate with random is the best as well as using Proxypass.

keep the votes coming!