70
« on: February 17, 2011, 02:28 PM »
This one is easy:
It's just a matter of risk assessment, like anything in real-world security.
A generated password is better.
The chance is FAR greater that a person will chose a weak or reused password than that their email will be sniffed.
In a perfect world, it would be even better if the password is shown to them after signup over https and not emailed.