When creating an account don't email the password

[mawiseman]

I think it would be better practice (and probably more secure) to send a link with userid and expiration date via jwt and force the user to choose their own password

https://jwt.io/

This would mean

• admin passwords are floating around in emails
• the user only had a limited time to action the email

[AlenPelin]

Thanks @mawiseman for valid point, which indeed makes sense to implement. It is however much more complex solution than current one, and therefore is way more risky to introduce even bigger vulnerability.

In fact, it will also require to replace password recovery mechanism on Sitecore login page because SignUpRules relies on it.