Do not e-mail passwords

[markjaquith]

When creating an account for someone in WordPress, this is a bad time to let the user-creator pick a password. First, we’re risking that it’s weak, but even if it isn’t weak, it isn’t going to memorable for the actual user who will own the account. In this case, we should just generate a password, and send the user a password view/reset link. For situations without e-mail, we can let the creator see the password, and send it to the user via a more secure than e-mail method.

[SergeyBiryukov]

Related: #24633, #27192.

[MikeHansenMe]

Send a set password link instead of plaintext password

[MikeHansenMe]

add time to hash for expiring passwords

[MikeHansenMe]

32428.2.diff​ add time() to the hash so that it will expire properly.

[Ipstenu]

Change registration page to say that registration confirmation will be sent

[Ipstenu]

Attached 32428-login.diff

Changing "A password will be e-mailed to you." on the wp-login.php page to "Registration confirmation will be e-mailed to you."

Hat tip to @petercralen - ​https://wordpress.org/support/topic/registration-set-pasword

[dd32]

Although I haven't tested these patches, they look correct to me.

[obenland]

32428.2.diff​ was committed in [33023].

[obenland]

In 33265:

Login: Reflect new password flow in registration form.

Props Ipstenu.
Fixes #32428.

[chriscct7]

#28168 was marked as a duplicate.