Yes, they could sniff e-mail traffic. However, no system is fool proof. If you don't want to send the user a password in an e-mail, don't. Send them a one use link to enter their password/activate their account.
The questions I would ask is how sensitive is the data that you are securing and how inconvenienced are your users willing to be inconvenienced to access it online. If the answer to both is VERY, then perhaps you should look at using two-factor authentication such as RSA's SecureID. Yes. This costs money, but if you *NEED* to know the person logging in is the authorized person, you should be able to pass this on to your customer as a fairly easy (but not cheap) solution to security. Again, if your customer is demanding real security, they are going to have to pay for it. I could talk your ear off regarding building secure logins, but I'm not. The best place I've found that talks about all the different options is the OWASP wiki. http://www.owasp.org/index.php/Authentication At the end of the day, you can only do so much to secure a system. What's gonna happen is someone is going to break into a users house and steal that person's username/password black book and gets access to your system anyways and all your effort will be for naught :( My bank even "profile"s users such as collecting their IP/OS/broswer version, etc and verifies login attempts against known profiles for that user and asks additional questions if it's an unknown profile. hope this helps, jeff > there has also been some neat solutions on here although i am thinking > that if someone was to hack into the mail server, or falsely receieve > the email meant for someone else. they could easily log on (as in our > system the username is their email)so they would have somone's > username and password, can log on and cause alot of havoc in the > system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:300279 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
