Hello,

I'm curious if there are any laws or best practices concerning issuing passwords to website visitors. We want to selectively invite a few hundred of our best customers to join our channel partner program and I want to issue usernames and passwords for them.

Just wondering if there are any legal problems we could run into by picking passwords for people.

Thanks!

I don't think there are any laws specifically for passwords, but there are definitely best practices. There may also be liability issues depending on the industry you are in and the sensitivity of the data. For best practices, auto generate a unique alphanumeric passwords between 8-14 characters long for each member. Make sure you also provide provisions for users to update their own password once logged in.

There are a number of sites that create the initial password for a visitor, but you'll have trust and credibility issues if you don't let people change the password you create for them.

It might depend on the nature of the system. If any of the information is sensitive and perhaps an employee does something to breach privacy or trust then perhaps civil lawsuits could be an issue?

I think if there is financial information in the system, then these people might have a rule that needs to be followed. https://www.pcisecuritystandards.org/search/search.php?query=passwords&search=1

You should store the passwords encrypted on the server though. If someone breaks in, they have an "email/password" combo, and in some cases that means those passwords and email address combos might be in use elsewhere. I mean if you are choosing the password for someone, maybe they will change it to the single password they prefer to use everywhere else? So encrypting it is fairly important.

As a minimum at least 8 characters including at least 1 upper, 1 lower, 1 number.

If you are picking passwords for people, they will forget them next time they use, but it will not matter as long as the system can automatically send a new secure password. A simple way to generate complex password is make it look like a word and add random chars e.g. password change to P@55w0rd

... Just wondering if there are any legal problems we could run into by picking passwords for people...

None at all; it is your website. (Disclaimer: I have no licence to practice law in your jurisdiction.)

As to best practices, I agree with ronchalice.