Why does the user pick the password?

Why, indeed?

Allow me to ignore that question for a moment, and answer your implied question: Should we?
That is, should we continue to have users create their own password, which is often weak, instead of just having the system generate a strong password for them?

Well, I am of the controversial opinion that there is a pretty strong trade-off here - having a secure password, and KNOWING how secure it is (as you point out), on the one hand, and on the other side is the user's feeling of security. "Usability", to some extent.

I think there are several aspects to this feeling of security: some users would want to ensure that they have a strong password themselves (e.g. via a password manager, or diceware); some users would want to select an easy password; and some users want to use the same password everywhere. And yes, many users just plain expect to be able to set their password, for whatever reason - so besides any specific cause, you will still need to fight the re-education battle, which is far from easy.

Also, don't forget that once you get a good strong password to the user, the (often non-technical) user still needs to figure out what to do with it - even passphrases become difficult to remember after the first dozen or so, or if you only use it every 6 months... The non-technical user would most likely save it in a word document on their desktop, or in their email. (And of course write the OS password on a sticky note attached to the screen).

Now, don't belittle these reasons, or these causes for using weak passwords - we the security industry have created this scenario for the simple folk over years. But it really comes down to: how secure do you need your site to be. How much risk can the user decide to take upon himself/herself, and how much of that is system risk that should be taken out of the user's hands.

So bottom line: Yes, I think most sites that have non-negligible security requirements should offer password/passphrase generation. Depending on the profile and architecture, you could offer 3 options when registering an account (or changing password, etc...) - just make sure to only display the password after warning the user against shoulder-surfing:

  • Generate passphrase - with a configured or flexible number of words (default)
  • Generate crazy-strong password with ridiculous entropy, e.g. for saving to password manager
  • Create your own.

In fact this is what I've been recommending for some time now (variants dependent on the specific requirements...).


Going back to your original question, why is the above not done?
I would guess a combination of legacy systems and bad habits; mis-education (the overwhelming majority of sites still have BAD password policies and recommendations); and perhaps just a lack of awareness of a better solution.

Yes, this is why passwords suck. :-)


Getting the password to the user

The only times I have seen systems that set the password for the user, it is send to the user via email (obviously in plaintext), which is obviously a bad idea[*] (and SMS, Mail, etc are not that much better).

So that would leave displaying the password when creating the account (which might also be a bad idea because of shoulder surfing). I would assume that this would lead to a lot of users who would overlook this, or not realize that it is important. Users are used to remember/write down/store passwords when they create them themselves, but they are not used to reading some page after they created an account; many would most likely just ignore it.

[*] because anyone gaining access to the users mail account (brute force, user forgot to log off, etc) will not have access. If an attacker uses password reset to gain access, a user would at least notice this.

Getting the user to remember the password

Users need to know their passwords. Typically, they have a couple of options for this (memory, writing it down, or storing it in a file or password manager). One of the primary ones (memory) would not be practical with your approach[*], which I would assume is the main reason that websites do not generate passwords for users.

[*] even with easy-to-remember generated passwords users will still have a harder time remembering that than passwords they chose themselves.

User Experience

Security is not the main business of most web services. It's often more important that users are happy, and many users will not be all that happy if they cannot chose their own passwords (because they do not want to remember generated passwords, and they do not want to write them down, and they also do not want to use a password manager). Users just want to use a service, and anything that makes that more complicated can potentially lead to a percentage of people using a competing service.

Conclusion

Passwords are always a tradeoff between usability and security, and not letting users chose passwords reduces the usability of a service too much for most of them (and because of the problems of actually getting the generated password to the user, it might not even add all that much security).


Organisations want users to be responsible.

If the user chose the password, they can be blamed for choosing a bad one.

Unfortunately, in the real world, organisations may have to be more concerned about seeming to take some of the responsibility for intrusions than about insuring they can't happen.

Users want to choose something they can remember

Many users will not write down their passwords (setting aside whether this is a good idea or not). They prefer to choose something they think they can remember. (This is especially important for the thousands of sites that shouldn't need a password but force users to pick one).