Comment by baq
2 days ago
I mean, at this point might as well drop the password requirement completely and send an email login link every time a user gets logged out and wants to log back in. It's how 'reset password' feature works for some people anyway.
Yep, if that's possible for your service that works. If the service doesn't want your email and/or doesn't have access to your data, e.g. an E2EE service where account reset is impossible, then that's not an option.
The supposition for all this is that the service wants to use passwords for whatever reason. In that case, generate them for the user.