Advice on creating a "Forgotten Password?" function?
I need to add a "Forgotten Password" option to a sign in form which, as I understand, is best if you simply reset the password as opposed to sending it to the user by e-mail, which could be intercepted. Right?
1) Sign in page
2) Sign in fails - display link to Reset Password page
3) Ask user to enter email address to reset their password. Upon submission, the system writes a temporary password to database and e-mails it to the e-mail address.
4) User receives an e-mail with a link to a page that asks them to log in using the temporary password displayed in that e-mail.
5) Once logged in, they are forced to reset the password to something else - in case the reset password e-mail is intercepted.
Is that the best approach?
How do I generate a random password in Step 3 above?