User password creation does not assure confidentiality
Only the user must know his password. Even system administrators should not be able to know the password for a given user. Anyone, even internally, with access to the user's password prevents the traceability of linking the user to his actions. This prevents the user accountability for their actions. If a user is caught committing a fraud, he can always say that wasn't him but one of the administrators that also know his password.
There are two ways to implement this control. Both assumes that the record of the password in the database is done right. The creation of the password can be one of these two ways:
- The user enters their own password at registration;
- The system generates a temporary password or an activation token that the user use to set his password;
Note that in the second case, the token security level should be at least similar to the password and it should obliged the exchange it on the first login. The token should be randomly generated by the system and should have limited validity. The mode of transmission of this token for the user is usually by email.