Currently when a new user account is created via OpenID a random password is generated for the user. However, this password is never given to the user.
I have 3 possible solutions, neither of which I am 100% satisfied with.PM the user
We could send the password as a private message to the user as soon as the account is created.
Positives - User always has access to it in their Inbox and is instantly notified of the password in case he/she needs it.
Negatives - If the user's session is saved on that computer and someone else uses it, they will be logged in to the users account already and have access to the password all there on one site, giving them the ability to take ownership of the account (by changing the email).Email the user
We could send the password as an email message to the user.
Positives - User can recall the password in case they ever lose access to their openid provider and cannot login
Negatives - The password is sent out in plain-text over the internet. I know this is how phpBB does it already but from a security stand point it's dangerous.Pop-UP window
We could just display the password once for the individual and hope they write it down or memorize it.
Positives - Most secure way to deliver the password
Negatives - If the user does not memorize or write down the password then they will not have the ability to recall it.
Or we could include all options (at least the first 2) and have a configuration option in the ACP to use one or the other or both. Maybe I'm just being paranoid with the negatives I listed above, but from a computer security freak it sends up red flags. Ideally it would be great to make phpBB not require a password for logging in to the ACP or to change the password and just re-authenticate via OpenID, but that will take a lot of changes I think.
Anyway, please give me your input. Thanks