I'm currently running 1.9.3 and have not had much of a chance lately to do any coding, so I thought I would throw it my thoughts here for some input.

The Lost Password functionality currently requires that a person enter a valid forum username and the system will generate a new password and email that password to the email address that matches the username.

The problem that I am having is that anybody can reset the password for any forum user. This only requires that they copy a forum username and enter it into the Lost Password box.

On more than one occasion I have had this feature abused. There really is no harm, but when a user gets a password reset email and they didn't initiate the process, they feel a little violated.

Is there a way to email the user with a link to click on that will reset the password?

This would eliminate the anonymous password resetter bandit from the forums.

Are there any other suggestions on how to eliminate this?

Thanks for all of your work on this. I'm looking forward to testing 1.9.4.

---