Meredith Noble wrote:
I meant more of "email a reset password link" to users. Then again, your approach might be better because people can navigate to the site on their own rather than trusting a link in an email (which could be phishing them, technically). Would you agree?
Well, it's not phishing them if it's a legitimate link. :-) But yes, emailing them a temp password then setting the system to force a password change on next login is a reasonably good practice. If an attacker is trying to jack their account they'll get the email and can take appropriate action.
My personal preference is to never mail sensitive links (login, password reset), but amazon and eBay do it and seem to survive somehow.
-- jet / KG6ZVQ http://www.flatline.net pgp: 0xD0D8C2E8 AC9B 0A23 C61A 1B4A 27C5 F799 A681 3C11 D0D8 C2E8 ________________________________________________________________ Welcome to the Interaction Design Association (IxDA)! To post to this list ....... [EMAIL PROTECTED] Unsubscribe ................ http://www.ixda.org/unsubscribe List Guidelines ............ http://www.ixda.org/guidelines List Help .................. http://www.ixda.org/help
