As already mentioned in my [url=http://www.silverstripe.com/google-summer-of-code-forum/flat/2417]post on Friday[/url] the "I've lost my password" feature doesn't work anymore as expected since passwords can now be encrypted.
There are now in principle two possible solutions:
1.) Assign a new password to the account which is then mailed to the specified email address.
2.) Send a so called auto login hash which is a special URL that logs you automatically in without entering a password. The user can change the password then as he likes.
The downside of solution 1 is that someone can change the passwords for all accounts for which he knows the email address and people won't understand we their usual credentials doesn't work anymore unless they read their mails.
Solution 2 (which is the one I would prefer) is a little more complicate for the user he has to change the password himself but I think there are no other problems with this approach.
What do you think? Which of the two solutions should be implemented?
I would implement it in a way that the function works the same way as now for clear text passwords and sends a auto login hash for encrypted passwords (the auto login hash works only until the next successful login).