RE: [KCFusion]

[Bruce Dunwiddie]

If you ever send out any form of a password, temp or not, it's insecure. If you're asking them personal questions anyways, through an ssl connection, there's no reason to even involve their email, just immediately let them in and make them reset their password. Also, the passwords should be stored in the database as hashes of the actual password, so there's no way for your "designer's" idea to work at all since you would never even know their password. The only reason any companies send out passwords via email is to verify that the email address is valid so they can legally spam you to death. It also makes it harder for bots to script setting up accounts at your site if you have a unique restriction on email addresses, so that for every account the bot creates, it needs an email address.   Bruce Dunwiddie Ticket Technology P: 866.543.3331 F: 913.451.7832 [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Adaryl Wakefield Sent: Friday, December 05, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: [KCFusion] The desinger and I are having a discussion about security. I say that if people want their passwords they have to submit emails and answers to personal questions then I send them a temp password in email that they have to change themselves. He wants to do something more simple like type in your email address and we just send you your password. I think thats horribly insecure but that is the way Macromedia works. Opinions? Adaryl Wakefield Aviator by passion Programmer by sheer force of will