nickboucher
commented
6 years ago Keeping default password for convenience (don't want to write something that emails a temporary password to the user), but now forces users to change their password on first login
As you see here, new users start off with the default password "password." Given that most people won't change their passwords, we should set a more secure default that's harder to guess — any random sequence of letters would do.
Ideally, we'd do what many apps do and force new users to update their password when they log on for the first time. We could show users whose passwords are still the default an annoying banner at the top of every page that reminds them to update their password.