---------- Original Message ---------------------------------- From: "Matt Robertson" <[EMAIL PROTECTED]>
>A big 'me too' on never, ever sending a pwd over email. I use a similar >system to what Tony described. User enters their email address and I >send that email acct the username and an encrypted link back to a >special routine that lets the user change the pwd. So, instead of just sending the password over e-mail (which should still require the person to know their username, which shouldn't be included in the e-mail), you're sending a link over e-mail which also includes their username? Is that really less secure? The way I figure, even if the password e-mail is intercepted, the person intercepting the e-mail also needs to know the username. Sure, they could guess (probably based on the user's e-mail address). But it seems to me like your method allows someone intercepting the e-mail to actually change the password to whatever they want, without needing anything but the e-mail (since you're also giving them the username). Unless I'm missing something there. (Obviously, this is without the question/answer option.) Scott -------------------------------- Scott Brady http://www.scottbrady.net/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4