Temporary passwords should be automatically and randomly generated.
CWE-640: Weak Password Recovery Mechanism for Forgotten Password: The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
CWE-263: Password Aging with Long Expiration: Allowing password aging to occur unchecked can result in the possibility of diminished password integrity.
NIST 800-63B 6.1.1 Binding at Enrollment: Temporary secrets SHALL NOT be reused.
OWASP-ASVS v4.0.1 V2.3 Authenticator Lifecycle Requirements.(2.3.1): Verify system generated initial passwords or activation codes SHOULD be securely randomly generated, SHOULD be at least 6 characters long, and MAY contain letters and numbers, and expire after a short period of time. These initial secrets must not be permitted to become the long term password.
PCI DSS v3.2.1 - Requirement 8.2.6: Set passwords/passphrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use.