Forum OpenACS Development: Re: Can question/secret answer be removed from password recovery?

<blockquote> 2) If clicked, this causes the password to be emailed to
the email on file for that username

How will you recover the user's password?  With the current scheme, I believe the password is hashed using ns_sha1 and irrecoverable.  Which is why the system needs to reset the password when the user forgets it.

The only reason I can think of to retain the "question/secret answer" protocol is that it prevents a malicious person from resetting (and emailing) a known user's password on, say, an hourly basis.  I have never heard of such a case, but it would be annoying to say the least.  Also, it might give users the warm fuzzies since it appears to have become a standard across many sites.

I vote to retain it.