user_password is predictable

If we're going to introduce random strings, why bother keeping the word concatenation?

Why don't we just generate a random string of 8 or more mixed-case alphanumerics and be done with it?

-1 because of usability degradation. after we allow users to submit
their own password during registration, i'm OK with moving to random
string generator for system generated passwords like ' i forget my
password' emails and DA registrations. i recognize a problem with the
current system, but don't want to go backwards usability wise.

- moshe, wearing his user.module maintainer* hat

*
http://cvs.drupal.org/viewcvs/drupal/MAINTAINERS?rev=HEAD&content-type=t...

Surely everyone just copy/pastes the password anyway? I don't see that this would be much of a usability degradation, and besides, even if it is, its a big security risk at the moment and needs fixing.

this bug is worse than descibed here, any user can reset any other user's password, not just unchanged ones.

the h/|ck3r just has to create an account and reset his own password n times to collect all the words. then reset any other user (including the sysop's) and log in. thi can be automated faster than the MTA of the users whose account is going to be missued say HELO...

i filed a bug report some time ago: bug #1639

my suggestions
* reintroduce the url in mail for checking that the recepient wants to change his password and/or
* create a password policy module with the paramters
- minimal number of chars
- minimal number of "odd chars"
- number of grace logins
- force password to be changed after first login
- etc...

Fixed in CVS - now generates 10 char mixed-case alphanumeric passwords.
Please open a feature request if you want me to modify the algorithm to generate pronounceable passwords.