Re: Password Recovery (long) was Re: "Forgot Password" function

Good read, Charles! I just have one comment:

[Charles Miller]

| Encrypted Email
| ===============
|
| A secure channel method, sending an email encrypted with some
| secret only known to the customer is possible, but is sufficiently
| impractical that it only deserves one sentence here.

If the user was allowed to upload or paste his PGP/GPG/whatever public
key during registration, this isn't impractical at all, as I see it.
Of course, most people don't have such a key. But at least we leave
it to the user to decide if he wants to have the password encrypted
rather than in clear text.

Hopefully the password to activate the private key isn't the same as
the password the user just forgot... ;-)

Sverre.

-- 
shh_at_thathost.com		Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/	http://nerdquiz.thathost.com/