With our current system it is fairly trivial to reset a user's password
against their will. We don't even check the interval in which the
password is requested. I suggest we use Scoop's system of password
mailing:
* When the user requests a password, check if he has requested one
within the last two hours or so
* If so, show error message
* If he hasn't, send the user a confirmation mail with an URL
* When the user clicks the URL, send the user the new password.
Anyone who disagrees with this proposal will get their password reset by
me 300 times ;-)
Regards,
Erik
--
FOKUS - Fraunhofer Insitute for Open Communication Systems
Project BerliOS -
http://www.berlios.de