--- webserver_auth.module	2008-03-10 17:43:42.000000000 -0400
+++ webserver_auth.module.initial_password_fix	2008-04-17 12:48:05.000000000 -0400
@@ -42,7 +42,9 @@ function webserver_auth_init() {
       $test_user = user_external_load($account->name);
       if (!$test_user->uid) {
         if (variable_get("user_register", 1) == 1) {
-          $user_default = array("name" => $account->name, "pass" => "cyan", "init" => db_escape_string($name), "authname_webserver_auth" => $account->name, "status" => 1, "roles" => array(DRUPAL_AUTHENTICATED_RID));
+          //for safety's sake lets make the intial password random in case the standard drupal login is also enabled
+          $randpass = uniqid("webserver_auth");
+          $user_default = array("name" => $account->name, "pass" => "$randpass", "init" => db_escape_string($name), "authname_webserver_auth" => $account->name, "status" => 1, "roles" => array(DRUPAL_AUTHENTICATED_RID));
           // TODO - the hook_user('register') will fire but only for loaded modules. could be a problem for sites using page cache and that hook+operation
           $user = user_save("", array_merge($user_default, (array)$account));
           watchdog("user", "new user: $user->name (webserver_auth)", l(t("edit user"), "admin/user/edit/$user->uid"));