RFC: Forgot your password

[bramp]

Hi,
I posted this on the bug tracker as a feature request, but got no replies from devs or users. So I'm reposting it here to see what people think.

If I forget my password the current procedure to restore access to my account, is to click the “Forgot Password” link, type in your email, and then a new password is mailed to you.
I think a couple of problems exist with this:
1) Your new password is being sent in plain text, which is never a safe or advisable thing to do.
2) I can lock someone else’s account by typing in their email address.

A better solution would be to do the following:

When I tell the site I have forgotten my password, an email is sent to me containing a unique code. I can then go onto the site and type in my email address and this unique code, and then be allowed to enter any password I wish. This can be stream lined by placing the unique code in a URL, and asking the user to make one click.

The benefits to this approach are that I can’t lock someone else’s account. Also the password is not sent in clear text, however, the unique code would be, which could be considered just as bad if it doesn’t expire quickly.

Of course this solution would require an extra table in the database, or perhaps just a couple of extra columns.

If no one objects, or improves on this idea, then I will happily carry out any code changes needed.

thanks
Andrew