A question came up in chat, which made me question the process we have for creating new user accounts on the admin side. Currently, we have an admin (or some authorized user) directly specify the new user's password - which the admin must then convey to the new user somehow.
Is there really any good use case for this, though? A better alternative would be for the admin to simply create the new user's account without a password. A link with a secret token would then be sent to the new user's email address, which would allow them to activate their account and set a password. This link could expire after a certain period of time. The new account would remain in an "unactivated" state until the user sets a password.
A question came up in chat, which made me question the process we have for creating new user accounts on the admin side. Currently, we have an admin (or some authorized user) directly specify the new user's password - which the admin must then convey to the new user somehow.
Is there really any good use case for this, though? A better alternative would be for the admin to simply create the new user's account without a password. A link with a secret token would then be sent to the new user's email address, which would allow them to activate their account and set a password. This link could expire after a certain period of time. The new account would remain in an "unactivated" state until the user sets a password.