[LINK] Automated processing of lost passwords

[David Lochrin]

   Many websites with a restricted-access area include an automated process for handling forgotten passwords.  Usually the user emails to a "forgotten password" address ("forgot your password" - sic) and the system emails back the current (or an updated) password.

   I assume the normal action is merely to verify that the email originates from the user's registered email address.  But can any Linker say how easy this is to forge?  When an email is relayed via intermediate MHS servers, is all the protocol information derived from in the email header?

   If a suitably resourced nasty knows an individual's email address and discovers that s/he has an account on a particular website, how easy is it for them to penetrate the "forgotten password" process?

David