There must be something more. Any organization would have generic logins, like "sales", or it would be easy to guess employee logins from the "about us" page. It makes sense that the password reset should be intended ONLY for customers, not (any) system-type login.
I would think that the password reset feature should be limited to certain roles, like "Customer". On Sat, Jul 30, 2011 at 4:00 AM, BJ Freeman <bjf...@free-man.net> wrote: > for production systems do not use "admin" as a lognin. > it is never created. > > Mike sent the following on 7/30/2011 12:10 AM: >> Why is it that *any* user can, using the password reset or "Forgot >> Your Password" can actually force "admin" to change the password? Is >> there a way to turn this off? >> >
