You are correct. MY goal in not sending the password in clear text is to protect the user's OTHER accounts, no so much their account on my server. As I mentioned, intercepting the "change password" email WOULD allow the nefarious person to gain access to their account on my server - but still protects the user's password.
As Matt described, the challenge/answer part would add that next layer of protection... > The way I figure, even if the password e-mail is intercepted, the person > intercepting the e-mail also needs to know the username. Sure, they > could guess (probably based on the user's e-mail address). But it seems > to me like your method allows someone intercepting the e-mail to > actually change the password to whatever they want, without needing > anything but the e-mail (since you're also giving them the username). > > Unless I'm missing something there. (Obviously, this is without the > question/answer option.) > > Scott > -------------------------------- > Scott Brady > http://www.scottbrady.net/ > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
