Resetting ASP.NET password – security issues?
I’ve seen various questions regarding this issue, but there are a couple of questions that haven’t been asked. If the user forgets their password, I would like them to be able to reset it with only their email address (i.e. there’s no security question/answer). The password is stored as a salted hash, so there’s no recovery possible. Instead, I’d just like the user to enter a new password after confirming that they have requested a reset.