Problem is judging by the number of emails accusing me of having an insecure forum code becuase they don't follow this advise that 90% of poeple don't do this.

But I have got another solution, to also ask the user for their email address before sending a new password if the two don't match they don't get sent it.

-boRg- wrote: Anyone got ideas for a better solution???

How about 2 additional db fields in Authors table as follows:

1st (encrypted using 1 way PW hashing) = User supplied friendly key word such as Mother's maiden name

2nd (not encrypted) = User supplied prompt for friendly key word such as "My Mother's Name" 

So, User would be required to correctly answer question to regenerate PW. The Admin would not therefore be bothered in majority of cases but in event of complete User brain fade borderiing on lunacy, you could then insist on email from User. The point is that even if DB is hacked, the info is useless in view of hashing.

Bruce, you already have some excellent Technology built - Just re-use for a second level password used as an escape route.

Hope this helps

Take care
Nigel

What are the security issues with this procedure for lost password:

-          on the login page the user select ‘lost password’ link

-          enter the user name

-          he will receive the password on the e-mail address stored in his profile

-     next time he will use the user name and the old password received by email

-boRg- wrote: Anyone got ideas for a better solution???

How about not changing the password when it is requested?

The new version has another solution, where you also need to type in the users registered email address as well as matching username. This is also how many of boards like phpBB does it.

Passwords can't be retreaved as they are one way 160bit encrypted, so you can't send the old password, a new password must be generated.