why don't all sites generate passwords for users?
Security at the expense of usability comes at the expense of security
The problem is that there is only so much a web application can do to force good security practices on users. In this particular case I can tell you what will happen in the vast majority of cases: people will write down their "secure" password somewhere nice and insecure. As a result, this will not necessarily make anything more secure: it will just shuffle around where the vulnerability lives. In essence, this system is missing some necessary supporting architecture to make the user experience very easy, and therefore very secure. As a result there are basically three kinds of people with three different results:
- People who don't care/understand about password security. They are going to write down that uncrackable password in a place that is super-accessible, and as a result super-insecure. These are the same people that reuse the same weak passwords on every site. As a result, they go from one bad security solution to another bad security solution. These are also the majority of web users, so for the majority of the internet your solution has no real benefit.
- People who use password managers and other password helpers, their password systems cannot integrate with your website. These people will be worse off, as suddenly their normally-secure system can no longer be used. As a result they'll probably end up writing it down, maybe not securely, and be worse off then they were before. To be clear, this will definitely happen: your "show the password in a form so that the password manager can record it" solution will absolutely not work with some password managers. I can just about guarantee it.
- People who use password managers, and those password managers integrate properly with your system. They were already storing things securely and still are, but now with another point of failure: your random number generator. Overall, though, there security will neither have decreased nor increased substantially.
Overall therefore, I would say that I see no real benefit for this system.
I have to say this out loud because it is critical in all other contexts: you never want to use SHA256 to hash passwords. In this case you can probably get away with a fast hash because your password is too long for a brute-force to be feasible anyway.
Edit to add the obvious answer
I think the biggest problem with this solution is that it doesn't go far enough to fix the underlying problem. The underlying problem is that people suck at passwords: we either pick poor ones, reuse them, or don't store them securely. The solution isn't to come up with a new password system: the solution is to ditch passwords all together. Many companies are starting to introduce password-less login. That's the answer you really want.
Your solution is forcing people to use a password manager. People may save their passwords in a browser, but thats not always encrypted, and is often only stored locally, so they now can't access your service from more than one computer. Keep in mind that most people won't even know what a password manager is.
Also, even if they have a password manager, do they have access to it on all of their devices? If someone has to type in a random 32-character password even once, they will start to hate your site for that.
Two things that come into my mind:
Users would hate not being able to choose their own password because unless they already have a password manager or some kind of system, it's an extra thing they have to remember or write down or keep track of somewhere.
If the website takes on the responsibility of generating "random" passwords, the methods it generates a password might turn out to have flaws in it in the future, which will jeopardize the security of all existing passwords at once. I think recently there was some hardware chip that generated BitLocker passwords in computers whose flaw was discovered and now all those BitLocker passwords can be cracked with about $40,000 in AWS - a lot of money for an individual, but for a company or a government, not much.