Are there any security issues or other concerns that make one preferable? The client is pushing for user created passwords.

I'm mapping out the basic functionality and front-end for a MySQL/PHP back-end that will be completed by a third party. I'm a novice to MySQL but familiar with PHP and their interaction. Mainly looking for anything to support one method over the other.

wel, if they are random passwords, then there is a higher chance that they'll be 'strong' passwords. I mean; every application with a fair number of users will have a few funny guys that use 'secret' or smilar.

if you use user created once, then some of the things you can do are:
- require a minimum length (at least 5 positions)
- require them to use both numbers and letters
- check to make sure that the password isn't identiccal to the username
- check to make sure that the username is not part of the password
- check if the password isn't inside your collection of bad-words (secret, password, enter etc)
- require them to change the password every 30 days or so
etc

Thank you. This gives me the back-up I need to push for a random password.