Hi José,

> 1. When the user presses reset pass the button on a valid user, generate
> a random password.
> 2. Store it in a special field in the User object (rpass?) along
> with the date of which that random pass was generated (rdate?)
> 3. Send it to the user in an email like this:
> Subject: Password reset for user (username) at (name-of-the-site)
> ...

Thanks, this sounds reasonable.

The only problem I see is sending the new password in an unencrypted
email. Shouldn't be a big risk, I suppose. Otherwise, we could extend
the user account so that everyone can deposit his public key, and enable
this password reset functionality only for people who have done so.

- Alex
UNSUBSCRIBE: mailto:picol...@software-lab.de?subject=unsubscribe

Reply via email to