PHP Registration: Auto-generate password or let user choose it

Question

During registration, I'm debating how I should set user password:

• Let the user choose it. If I do this, I have to enforce some standards (length, weakness, may involve regexes, etc.) What do you normally do when you choose this way and why? Is there a library available for PHP for this?

• Auto-generate the password for the user and email it to them to the email they provided. They can't log in without getting the password so it's email verification too. Problem is the password may be too difficult for the user to remember. If I allow them to change it to something easier, that defeats the purpose of me choosing it for them in the first place. I'm also worried about the act of transmitting the password (as plain un-hashed password) in an email.

I'm leaning towards the second, but would prefer a more informed answer before choosing. There are probably things I'm not paying attention to like user convenience and other technical issues too. What do you do?

Edit: Based on the answers, I'm going with the first option then, letting the user choose. My question would then be, what password strength/length/etc. should I require, and how do I enforce it? Are there PHP libraries available for that?

Answer 1

I think there is only one answer to this. Let the user make her own password! Everything else is programmer lazyness and bad interaction design and customer friendlyness (IMO).

Now I'd see a few exceptions, namely if it is some kind of low-importance intranet system with only a handfull of users who agree to this or if it is a one-shot account which people won't need to login later on.

You need to hash&salt your passwords anyways, even if you generate them yourself. All you need to add, is some validation rules at the first submit of the user. That's probably even easier to make than a good password generation tool.

Password strength

A link to a post about 10 password strength meters