If I Forget My Password Will AMPro Send It To Me?
In the words of Dr. Evil:
How about: NO!
It is frightening to see how many password systems make this gigantic mistake. You go to all sorts of trouble to secure your application; jumping thru one hoop after another, building the perfectly ironclad little fortress... and when someone forgets a password (which happens all the time) you send it to them in the clear via email?
Can we find a less secure way to do that? Maybe sky-write it in the clouds, or run it every 1/2 hour on CNN?
AMPro will let a user who has authenticated themselves properly -- after receiving a special email at their inbox containing an encrypted, time-limited link and answering their top-secret, self-set security question -- to *change* their password.
This gives the forgetful user a self-service, don't-bother-the-admin method of gaining immediate re-entry without creating a giant security hole in the process.