I'd like to continue this thread because some e-lane users are showing concerns because it's too easy to reset an user password, although is not a big security flaw.
It's been suggested to change the code to email a URL token to change the password, instead of just reseting the password. This way the user would get a token in the email but won't get the password reset.
This is just what http://bugzilla.mozilla.org/ does.
What do you think about this issue?
Has anyone implemented this way of reseting the password?