Hey,

A sudden idea just came into my mind when reading up on some security exploits. I'm not to sure if this is a decent suggestion or not, but I thought I should pass it onto you guys to consider?

Anyway, ill cut to the chase. At present the request password feature just generates a new URL where you go to reset your passwords. No questions asked. Just click the link in your email, and bobs your uncle. How about before this URL is generated, your asked a secret question (which you set on registration / UserCP) which you must answer before the URL is generated and sent to your email.

Like they do on most sites with a new-password request.

What ya think?

It sure would prevent the "lost password" spam

Well, you would need the user's E-Mail account too.

Definately an option though, being as I don't remember ANY security questions/answers, being as most of the questions, if you know me, are fairly answerable, minus like SSN stuff... =\

How would somebody know the name of a given pet you have had in the past, current, first, most friendly alot of "security questions" could be based on this.

Simple fact is the following:

If this was to be a feature, it should work well basicly like google gmail's service does

Should also have different levels of security based on the account's level, for example an owner-admin would have to answer multiple questions and know a secret pin, of course the draw back to this is the following:

Would require more space on the database, but heck I think its worth it.

Glad you all like the idea