El Tue, 26 Oct 2010 16:57:10 +0200 Alexander Burger <a...@software-lab.de> escribi=C3=B3: > Hi Jos=C3=A9, >=20 > > 1. When the user presses reset pass the button on a valid user, > > generate a random password. > > 2. Store it in a special field in the User object (rpass?) along > > with the date of which that random pass was generated (rdate?) > > 3. Send it to the user in an email like this: > > Subject: Password reset for user (username) at (name-of-the-site) > > ... >=20 > Thanks, this sounds reasonable. >=20 > The only problem I see is sending the new password in an unencrypted > email. Shouldn't be a big risk, I suppose. Otherwise, we could extend > the user account so that everyone can deposit his public key, and > enable this password reset functionality only for people who have > done so. >=20 > Cheers, > - Alex
Well many sites use this scheme, some with special links and such, the risk is greatly disminished though because the user just needs to log in to render those credentials invalid. -- UNSUBSCRIBE: mailto:picol...@software-lab.de?subject=unsubscribe
