Forum OpenACS Q&A: Re: Interesting article on web based password protection

I'd like to continue this thread because some e-lane users are showing concerns because it's too easy to reset an user password, although is not a big security flaw.

It's been suggested to change the code to email a URL token to change the password, instead of just reseting the password. This way the user would get a token in the email but won't get the password reset.

This is just what does.

What do you think about this issue?
Has anyone implemented this way of reseting the password?