Posted by C. (http://symcbean.blogspot.com/) on 12/30/07 20:40

On 29 Dec, 13:50, Anthony Levensalor <anth...@mypetprogrammer.com>
wrote:
> rf said:
>
> > "twomt" <no-re...@nemesiswar.net> wrote in message
> >news:fl5ea5$d1u$1@aioe.org...
> >> Hello,
>
> >> are there any tutorials/guides out there that explain how to handle this
> >> subject?
>
> >> I was thinking of having a member enter his username and email, after
> >> which I then email him a new password.
>
> > To where would you email him the new password? What if I enter my email
> > address, do you email his new password to me?
>
> > --
> > Richard.
>
> No, that would be stupid. If someone has a password with me, as in an
> account at one of my sites, I already have their email in a database. I
> mail the new password to that address, and done is done.
>
> ~A!
>
> --
> Anthony Levensalor
> anth...@mypetprogrammer.com
>
> Only two things are infinite, the universe and human stupidity,
> and I'm not sure about the former. - Albert Einstein

1) that's inflexible - you are expecting the user to know 2 out of
three facts
2) it provides a way for a third party to carry out a denial of
service attack against your users.

If you look at existing systems the more sensible ones send out a URL
with a single use visa in the the query part allowing the user to
access the site without presenting their login credentials.

C.

[Back to original message]