Comment 8 for bug 457371

Merging this ticket here:

                Password-change requests: send "password-change link" rather than the actual password?
                Reported by: **** Owned by: ****
                Priority: major Milestone:
                Component: Business Requirements Version:
                Keywords: 2009-q2 Cc:
                Origin: Customer Request Estimate:
                Due Date: 200X/xx/xx Software Components: Management System
                % Complete: 0%
                Description ¶

                Isn't this what most sites do, now days?

                * I submit the password-change request
                * I get an email with an internal HTTPS password-change link
                o Links are long enough that they're difficult to enumerate
                o Links are valid for a short time (one week?)
                * I follow the link to change my password
                o It only works for that user
                o I may or may not be quizzed about some "security questions"
                + Should we make them confirm the email address?
                o I choose (and confirm) a new password