What if we reduced account creation to just an email address?
sefsar.comWhat if? Then you have zero security.
A confirmation email would be sent to the user, when they click on the link contained within they'd be directed to a page that would ask them to define a password.
It's about simplifying the on-boarding. The password doesn't need to be defined during the first session. Plus the email encourages re-engagement later that day.