Is this a good practice to disable a password creation by the user?

I am working on an intranet site and need to choose one way of two: 1. Disable an option when a user can change a password to any word he likes, for example, pass123. This way there will be a button to generate a new password using some complex algorithm and then u开发者_开发技巧ser accepts its using. 2. Make standard password changing function. This way user can enter any password he likes and save it. Thanks.

If it's an intranet site, then authentication should generally be handled through LDAP, not explicit password entry.

I'd say it's good if you only give the user a button to generate a new password, then he can't use the same password on every site.

If you have a password strength policy, state this clearly on the form when the user chooses a new password and don't accept it if the password is not strong enough (option 1.).

It just depends on how secure you want the site to be.

If you allow them to change their own password, then I would suggest that you have some sort of "Password Strength" visual aid to help them pick a strong password. Then maybe only except strong passwords.

Only allowing them to change their password to another password generated from a complex algorithm would probably result in them not remembering it, however this way you can always count on strong passwords. Emailing them the password would mean that they would not have to write it down somewhere, and then even though it is written down it would then be securely hidden behind their email login.