In fact, the middle-man could be the one requesting for your password reset, not you yourself.

Sexchatting websites with no registration and no emails or username-88Sexchatting websites with no registration and no emails or username-81

When it's access one time, the message are destroy.

The message are stock in a crypted database on our side.

Edit: To address your second question, I wouldn't even email that.

I would instead send a link so that they can easily see their profile/information when they log in.

If possible: Hence the requirement to change it upon login.

Resetting one's password via e-mail is insecure no matter how you do it (either a temp password or a URL); the hope is that any information transmitted in the process is obsolete by the time an attacker can get to it. The ONLY thing in the email to the user should be "your email was reset."Keeping the "resetting password" links sent by email "valid" for a limited period of time and invalid after password reset, should help against the problem of users forgetting to check "forgotten password" emails (and not removing them after use).So you need another password reset mechanism anyway.The best way to handle the "forgotten password" case is for the user to request you to e-mail the user a link; when they click the link you allow them to type in a new password.Most company simply do not include Username password combination due to the security of the external email client. Any numbers of users could brute force or guess the password to the email account of another users which would allow the hacker to view the email of your site. Empty; string serial Number = "xxxxxxxxxxxxxxx"; Guid. As for passwords, if they can't remember them in the first place, they won't be able to find the Email you sent them with the password in it, and it's an admission of storing it in the clear.