I have double checked the user table and no password fields have a blank value. I recieved another Lost Password form this morning. It seems when I receive this form they are actually registering in the user database not asking for a password. Does this make sense? I double checked the registration form by actually registering and I receive the correct form in both emails. I then check the lost password form and recieved the correct form in both emails. What I do not understand is both of these forms have server validation code so how can it be by passed? As always your help is appreciated. P.S. The IP Address they are using is out of Russia.