Hi, I am developing a web app for my customer with many access profiles. One of these is the customer administrator profile that can create other users. When the admin creates a new user a mail is sent to this user (at the address that the admin has set) and so the new user can access for the first time. At now, in the mail, it was specified a temporary password that the user must be changed at the first access.
It is safe in your opinion? Is it possible to improve this process, without any generated password with a generated link and is this better or safer?
I haven't found a specific pattern to follow or OWASP documentation, so if you know a good doc or article please let me know.