What's the safest way to inform a new user of their password on an invite-only website?

The best practice in this instance is to send them a link to a page where they can set their own password.

You should ensure that after they have used this link to register, that the link cannot be used for account takeover. One way of achieving this is including a time limited, single use token in the URL.


You should just send the new created users a link where they can set their own password. But consider the following thoughts to prevent abuse, because mails are sent in plain text:

  • make sure the link can be used just once (so only if the user does not have a password yet)
  • maybe set a date until the password needs to be set, otherwise they need to request a new link
  • random link generation, so it will be (nearly) impossible to guess the link for an email
  • add another step of verification (e.g. require them to enter their email and / or birthday)

From my experience, it's usually done in two ways.

One way has already been described by David Waters, so I won't talk about it.

The other way is to send them a one-time use password, wich they'll have to change in a certain timeframe (usually a 48h windows).

With this method, you need to make sure they receive a randomised password wich is secured enough not to be bruteforced, and is unique and cannot be used again.

Once the user connect using this password, the website should redirect them towards a page where they can choose a password of their choice.