Yeah, I think that sounds like a good idea (ask secret question where they must supply a secret answer to continue).
I see your point that they could always click on the link if their old password didn't work and get another temporary one. The problem is that the person that was jacking around causing these kinds of forgot password changes to occur could simply do it again and again. Imagine you have a subscription to a business where someone keeps doing this to you. You probably won't remain subscribed too long with this model.
Another technique I've seen is where a company sends you an email with a link to click to continue with the resetting password process if that's what the person wants to do. If not, they can ignore the email and still use their existing password.
If they truly forgot their password, the link takes them to a page where they answer a security question with a security answer (who's your dumbest relative kind of questions) and if that succeeds, they move on to a change password page where they can create a new password for themselves.
The key is that the business never changes the password, only the user. The link that's in the email includes the person's email address that's hashed in somehow. On the database side of things there's an attribute that contains a timestamp so that if the person clicks on the email after a few days of it being sent, they need to start the process over again since the email is only good for 24 hours.
Lots of extra work on the developer's side of things, but ensures kids/hackers aren't jacking things around by tricking the business into changing their user's passwords on them.
thanks for your straightforward answer and suggestion,
steve
