I believe I've found a problem in the 1.9.3 version of YAF. The problem exists when hashed passwords are used and the user resets their password (or the password is reset for them by the administrator). Changing the password also changes the password salt, but since the answer to password challenge question was hashed with the previous salt it will no longer be possible for the user to reset their password. The issue lives in YafMembershipProvider.ChangePassword and can be fixed by applying the simple diff below (ChangePasswordQuestionAndAnswer correctly reuses the password salt):

--- a/YAF.Providers/Membership/YafMembershipProvider.cs

+++ b/YAF.Providers/Membership/YafMembershipProvider.cs

@@ -525,7 +525,8 @@ namespace YAF.Providers.Membership

return false;

// generate a salt if desired...

- if (UseSalt) newPasswordSalt = YafMembershipProvider.GenerateSalt();

+ if (UseSalt) ///newPasswordSalt = YafMembershipProvider.GenerateSalt();

+ newPasswordSalt = currentPasswordInfo.PasswordSalt;

// encode new password

newEncPassword = YafMembershipProvider.EncodeString(newPassword, (int)this.PasswordFormat, newPasswordSalt, this.UseSalt, this.HashHex, this.HashCase, this.HashRemoveChars, this.MSCompliant);