A
Alfred E. Newman
I want to enable visitors who have forgotten their password to request a new
one. I have seen that some sites simply require users to enter their e-mail
address. Then the server-side logic sends the password (perhaps a new
temporary one) to the e-mail address if it is a valid address in the db for
the site.
I'm looking for opinions and perspective on implementing something similar.
I understand that doing this would open up additional security risks - but
considering the tradeoffs, it might be worthwhile (no angry users calling me
at 2:00 AM). But as long as I'm going to do something like this, I want to
be smart about it. So, any feedback, links, etc that deal with this topic
would be appreciated..
one. I have seen that some sites simply require users to enter their e-mail
address. Then the server-side logic sends the password (perhaps a new
temporary one) to the e-mail address if it is a valid address in the db for
the site.
I'm looking for opinions and perspective on implementing something similar.
I understand that doing this would open up additional security risks - but
considering the tradeoffs, it might be worthwhile (no angry users calling me
at 2:00 AM). But as long as I'm going to do something like this, I want to
be smart about it. So, any feedback, links, etc that deal with this topic
would be appreciated..