Is it a security risk to use parts of GUID as a random passwords?

Question

When users create an account in my web application, I generate a GUID and use the first 8 characters as their password which is then sent via email.

Is there a security risk I am overlooking in using GUIDs as passwords? I've taken a look at the questionAre GUIDs good passwords?, but that question pertains to personal passwords not random/generated passwords. Ideally, users will login and change their password if they want to.

Answer 1

Using GUIDs as passwords is a very bad idea. GUIDs are generated in a very predictable and well defined manner. Or in other words given enough information it would allow an attacker to predict the passwords of other users.

Predictable and well defined is the exact opposite of what you want in a password generator.

Answer 2

Yes, unless you know exactly how the GUID is built. For example, some GUIDs bundle the MAC address of the host in to the GUID. If you happen to use those bits, then that compromises a large amount of the bit space for the "random" password.

Simply put, GUIDs may be unique, but they are not necessarily random.