Random Passwords could work a lot better ...

[jncraig]

Description of problem

This describes some issues with using random passwords for registration

Description of solution

Random Passwords

DNN has the ability to generate random passwords for user registration.

IMHO, there are two problems with this process.

1. Sometimes the random password doesn't meet the site's requirements for password complexity. This results in a failure to create the user, and a message to use a different password. I submitted a bug report about this.

2. As most sites should be using hashed passwords, There is no way for the user to know his password, so he has to be smart enough to click the Reset Password link. DNN should be smart enough to automatically take the user to the password reset automatically. In my case, I'm using the Verified method, so DNN knows the user's email address, and should send this automatically or ... take him to the Change Password function without the requirement to specify an old password.

I'm using random passwords and verified registration.

After the user clicks the verification link in his email, he gets to a page that confirms verification.and then asks him to log in. He doesn't know his password, so he has to be smart enough to know that he needs to get a reset password link. So, he now has another password and link to handle.

If we are using hashed passwords, then a first login or completion of verification should just go to the reset password place. There's no need to send an email (it was just verified), so just send the link, put a message on the screen and be done with it!

Simplifying the process, eliminating steps, etc. makes for happy users and fewer needs for an admin to deal with a confused or unhappy user.

Description of alternatives considered

Of course this can all be rectified by not using random passwords, but that's not the point. The customer wants random passwords! (So he gets them ...)

Screenshots

If applicable, provide screenshots to help explain your problem and/or feature.

Additional context

Add any other context about the feature that may be helpful with implementation.

Affected version

I suspect that this relates to all versions of DNN, but I'm using 9.2.2.

• 9.3.0
• 9.2.2
• 9.2.1
• 9.2
• 9.1.1
• 9.1
• 9.0

Affected browser

Not a browser issue.

• Chrome
• Firefox
• Safari
• Internet Explorer
• Edge

[moorecreative]

I've encountered the same issue before... we've counseled the website administrators to help talk them through customer support issues when the random is unknown and they have to do the reset steps, however having DNN be smart about it would be fantastsic

[david-poindexter]

@jncraig and @moorecreative - we have moved this to a discussion. It brings up some really valid points and from here some discussion needs to be had, decisions made and ultimately...actionable issues created for developers to pick up and resolve. Thanks!

[jncraig]

OK, what do you want to discuss?

[jncraig]

This is what I have:

enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
minRequiredPasswordLength="10"
minRequiredNonalphanumericCharacters="1"
passwordStrengthRegularExpression="(?=^.{10,}$)(?=.\d)(?=.[a-z])(?=.[A-Z])(?=.[!@#$%^&()_+}{":;'?/>.<,])(?!.\s).*$"

[valadas]

The thing is IMO this is the only behavior possible. Nobody know the random password because it is hashed, even if we wanted to, we would not know the password, so a password reset is needed. So the user gets a link to the site where he get's asked to actually choose a password. The UI is smart enough to not request the old password and just asks the user to choose a new one.

But I do agree the random password generation should produce a valid one though. This IMO is the only actionable item we have here, the rest looks to me like it is by design.

[jncraig]

Yes, the main issue is that the system should create a valid random password. It should be fairly easy: Generate password, test password, rinse and repeat until a valid password in generated.

As for the use maybe getting confused when asked to login, that probably can be handled by a careful rewrite of the welcome message.

[david-poindexter]

@jncraig there is an issue with the provided regex. See below:

[jncraig]

Yeah, I grabbed that bit from an old web.config.

The actual site has been replaced by a newer system, so this is more hypothetical than real.

The issue is still appropriate.