Generate username & password or let new signup create their own?
 

I wanted to get some different opinions on whether it's better to automatically generate a more secure username and password for a new signup or give them the option to create their own? I currently let them create their own but think I would have far fewer hacks and shared ids if I didn't. Not sure if it has any impact on a sale.

Their own :pimp

is that the 'Spock' death grip from star trek?

When you generate for them, prepare for an endless amount of support mails because most of them can't remember "76eYfsh25" and never seem to remember they have an email with that pass in it, or the fact that they can set their browser to remember the password.

We cut our support mails down by around 99% when we let them choose their own user/pass. I trust Strongbox will take care of most the hackers and password traders.

I say let the user create their own. They will remember it by heart, won't have to email you asking for it, etc... If they are going to share it with friends, they will whether it's randomly generated or not. Same goes with the hacked accounts, it will be stolen from an end user via some malware either way.

create by yourself, store somewhere and encrypt

...and thread closed.... everyone can go home now. :thumbsup

Let them create their own.

We let them use their own password and then use strong encryption to store it in the database ...

Dont even let the fuckers into your members area in the first place! :2 cents:

Just take their money, and tell em to go fuck themselves...:321GFY

ZERO PIRACY that way... :thumbsup

:1orglaugh:1orglaugh:1orglaugh

We favor a kind of middle ground, and have built a free tool to make it easy for you to do.

When users choose their own, approximately 15% will choose password from the top
10 most popular. These are things like "password" and "123456". The bad guys know
what those top ten passwords are, and they will be guessed. So letting users choose
their own doesn't work too well. At least, not as most adult sites do it. The way
banks do it is a little better - you can choose your own, but subject to certain rules,
so you're not allowed to have "password" as your password. Of course, many sites
are TOO restrictive in their rules -- 8-10 characters, must start with a letter, must not ...
Longer passwords are always better, so 8-10 characters is a dumb rule.

Assigning random passwords also has problems. Paying customers are often people
who are not technically sophisticated enough to find what the want for free, so
they have trouble even TYPING "lI1Kg`O0^}+", much less REMEMBERING it.

The middle ground we use is to assign passwords that are easy for most people to
type and can even be remembered, but are not easy for the bad guys to guess.
The passwords created by our free tool look like words and can be pronounced
like words, so they can be typed. An example would be "betorling". That's easier to
type than "J(dD?/gW", and certainly easier to remember. "betorling" isn't really a
word, though, so it's not in the bad guy's dictionary.

The free password generator can be found at:
https://bettercgi.com/strongbox/passgen/

i surely dont have thousands of members, but i havent gotten one email yet from someone who forgot his username or password. and i use 16 digit random for both.

The right encryption is important, especially if you use a lot of PHP to drive your
site, as many sites do these days. Especially on a PHP powered site, you have to
assume that the bad guys can see your database. That means that unless the passwords
are properly encrypted, they can see ALL of your passwords. Having thousands of
passwords posted everywhere is not a fun experience, so they need to be encrypted to
keep the bad guys from reading them and posting them. (Technically, they are hashed

So what's the proper encryption? By default, the processors use a type of encryption
called a DES hash. It's used because it's always available, having been a standard
since 1972. In 1972, it was pretty hard to crack. Of course, computers of the time
had 500 kHz processors and 8 KB of RAM. It would take a few years to crack a DES
password, since the 8 bit CPU ran at 0.0005 Ghz. In 2011, with quad core 64 bit
2 Ghz processors, they can be cracked over 80,000 times faster. Running a typical
DES password list on a modern machine gives up passwords in under one second.
So DES is useless, but it's still the default.

For modern attackers, rather than 1972 attackers, you want modern encryption.
Given the Blowfish bug, that means salted SHA if your server supports it or salted
MD5 if not. The geeks who make Linux made it very easy to upgrade your encryption.
All that needs to be done is to adjust your processor's script pass a different salt
value, and we can take care of that for you. Today's encryption is expected to be
solid for another 30 years or so, so in 2041 you can upgrade again.

MacFly, Troy just posted a good analysis of what happens when users
choose passwords. The one sentence summary is that they choose easily guessed
passwords 70% of the time.

http://www.troyhunt.com/2011/07/scie...selection.html