Smart! But such an edge-case, I don't find this bug as ridiculous..
On another note, admin shouldn't be sending entering other peoples passwords anymore, they should be sending invites links that let's the user insert their own.
"The admin never knows the user's password" is a pretty simple security step for any setup. What way would someone want to use a web service where the admin knowing their password is a requirement?
> What way would someone want to use a web service where the admin knowing their password
Unfortunately the people who have to use software are often not the people responsible choosing it!
> where the admin knowing their password is a requirement
For creating fresh accounts this is less of an issue than once the account has access to real data that has already been entered, so all the admin can get by knowing the password at this point is the information they already had to create the profile and account with. While still not good design it is at least mitigated somewhat in practise. The main issue this behaviour-as-designed introduces is one new user being able to guess another new user's password. The danger this poses can be reduced by forcing the user to choose a new password on first login, before any information is entered, but it still isn't good design to even need this mitigation. If the software is badly arranged enough that the admin knows the password instead of it being generated and sent to the target user without the admin being any the wiser, then it may be that the “force change on first login” option is missing too.
On another note, admin shouldn't be sending entering other peoples passwords anymore, they should be sending invites links that let's the user insert their own.