Skip to main content
Software Engineering

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

4
  • 2
    I've done this in several sites. While you can argue that a mail snooper can get the password, they can also get whatever other temporary token etc you would email. This approach is simpler for the user (they can copy and paste or even type the temp password) and doesn't take a security hit. Commented Oct 28, 2010 at 15:52
  • Unless somebody is using secure way to connect to mail server (i.e. web mail via HTTPS or POP3 over TLS), such communication could be easily sniffed. In that case some "haX0r" could easily log into other user's account. That's why it is bad idea. Reset link should be sent as Chris suggests and accompanied security question should be asked before actually letting user to change his/her password. Still not 100% safe (as many times answers to such security questions could be easily guessed), but I can't see any better solution. Commented Oct 28, 2010 at 15:55
  • 2
    @Pawel Dyda A reset link can also be sniffed, if your email is getting sniffed i think having a temp password in your email is the least of your worries. Commented Oct 28, 2010 at 15:57
  • That's why I wrote about security question. Commented Oct 28, 2010 at 17:15