When new users are created without specifying passwords, Identify needs to generate random passwords for them like in the following cases:

• Use REST API's POST without setting a password to the Password attribute
• Auto-create users at login time when the Update unknown users from login setting is ticked.
  
• Create new users using Admin interface with the Create password automatically option.
  

Identify tries to generate passwords that can pass all password validation policies:

• A password must not contain the username
• Password length is from 64 to 100 characters
• A generated password contains at least one lower case character, one upper case character, a numeric character, and one special character. The list of special characters are:
  
• Satisfy the Regex password policy. However, since you can customize the Regex policy, there is a chance generated passwords cannot meet your custom policy. Thus, if no passwords satisfy the Regex policy after 100 attempts, Identify will use the last one.

As a side note, Identify hashes generated passwords using Bcrypt algorithm with salt and never sends them out to users in plain text.

Identify version 5.12 and before

Generated passwords contain upper case characters, lower case characters, and numbers. It does not use any special characters. So, if you update your Regex policy to require special characters, the password generator will keep trying and end up with an infinite loop.