Fred: Sadly, setting a predictable password isn't going to stop a slow 'drip drip' process enumerating passwords.
John: The core problem, as is the case with much of AR System, is an unwillingness to tackle design changes in the correct place. You are correct that security should happen in the server, hence it should check the disabled user radio. How much effort is that - about ten minutes with an if statement? I firmly believe in getting the core product right. I think I'm in a minority. :) _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
