Accounts created with "Create new accout for anonymous order" Checkout rule have blank password

I'm seeing user accounts created with the "Create new account for anonymous order" rule being created with a password of ' ' (no, I'm not crazy, see the SQL below). Beyond just being bizarre, it means users cannot log in through the normal login form and must use the one-time login link. After using that link if they don't change their password they're effectively locked out of the site and have to request a new password.

I'm not seeing an option to set the password using either the 'Create new entity' action or the 'Set a data value' action.

So is this then a Rules bug? Is it expected behavior and not a bug (in which case, please explain to me how this isn't a bug)?

mysql> select uid, name, pass from users where pass = ' ' order by uid desc limit 10;
| uid | name | pass |
| 55 | Some.Guy | |
| 54 | [email protected] | |
| 53 | wiggy.wack | |
| 51 | [email protected] | |
| 50 | [email protected] | |
| 49 | [email protected] | |
| 44 | [email protected] | |
| 42 | [email protected] | |
| 39 | [email protected] | |
| 38 | [email protected] | |

Posted: Jan 12, 2012


rfay Randy Fay on January 13, 2012

I think this is by design. The normal way for users to log in the first time when accounts are automatically created is using a one-time login link. The default new user email provides a one-time login link. Otherwise it would have to provide a password, which is no longer considered a reasonable thing to do in a welcome email.

Barrett on January 13, 2012

I guess I had overlooked that 7 no longer provides a token for sending the password in their welcome email, but a new user registering through /user/register still has a password.

peach on May 4, 2012

I think this is an improvement to the old Drupal way. Sending a password in plaintext over email isn't exactly a best practice.