[Just replying to one aspect of the original message.] On Mon, 7 Aug 2017 18:26:00 -0500 David Jones <djo...@ena.com> wrote:
> First, it's a bad idea for a number of reasons to send passwords via > email. Most modern "lost password" mail loops use a unique URL that > expires after a short period of time. As long as both methods expire, both methods require answering a prearranged question (or some out-of-band method of authentication), and both methods require immediate changing of the password, a link is no more secure than sending the temporary password. In fact, a link may eventually lead to *less* security as it's easier to phish people if legitimate messages include a link rather than not including a link. Encouraging people not to click links in messages like legitimate password recovery emails is a Good Thing, IMO, as it'll make them less likely to click links in fake ones. I realize I'm tilting at windmills. Regards, Dianne.
