What is the need / problem
The SuperAdmin user should not be able to see, change or reset the user’s password. If they need to reset their password they can do it themselves.
Who does it impact
All users created by a super admin.
What is the current impact of this problem
Setting a password as admin always comes with the problem how to communicate that password to the user. In most cases it’s sent via email which is not a secure medium. The password is likely to end up on several computers (the sender, the mail servers, the receiver, backups) and is stored in plain text.
The admin can set a temporary password that has to be changed by the user, but most users don’t do it.
What is the benefit in focusing on this
Improving security for users.
Links to more details
Potential solutions that will solve this problem
OFN sends a link out to validate the email address and let the user set the password at the same time (when they click that link they should be prompted to set a password)