It's now increasingly common for websites to provide "super fast & easy" registration : the user just gives his e-mail. The confirmation e-mail then contains a password generated for the user. If the user is not happy with the password (either wants a super-weak or super-strong one), the ability to change it is given right away when accessing the confirmation link.
This method is used for example by slashdot.org:
generated_password = Devise.friendly_token.first(8) user = User.create!(:email => email, :password => generated_password) RegistrationMailer.welcome(user, generated_password).deliver
Are you overriding the Devise Registration Controller Create action here? Could you provide the full controller to show how you have implemented this? Could you also provide the details of your welcome message that would include both the newly created password? And the details of your confirmation page that includes the request to change their password?
I'm afraid my answer won't be so simple or much more illuminating. I am not overriding the Devise Registration Controller, I do not use it at all. There is no way for a user to directly create an account in my system. They go through a workflow, and at the end of the workflow, I create their account using the code above and send them an email. I follow the above code with
so they are just logged in as a new user seamlessly. The log in is just for when they come back. In the email, I include a link to /user/edit to change their password, but I don't require it, nor do I require confirmation by email.
I'll write something up in a blog post this weekend so you can see a working example.
Note: I don't believe our setup here is the most secure way to go, but we're not accepting payment information from our website, and we have a sales/support team that speaks with everyone who uses our system. There's limited scope for an impostor/hacker to do much damage with their login. No, that is not a dare or challenge.