>I hear what you are saying; and it makes sense. However my application applies to such a non-secure business that security hole is not a problem. However, making a customer to do another step (like resetting their password) may piss them off and get me fired :)
>Thank you for the suggestion.
>>May I suggest that you email a token that allows them to reset their password online? For example, the email will have a link with the token as a parameter (
http://www.mysite/com/resetpwd/734jGkagkjKEW9856kj) The token is generally a guid. Emailing a UID/PWD is a security hole as the data is sent in plain text as is storing the pwd unencrypted.
>>
>>>Thank you for the link. I will review it. But I abandoned my idea of using a Bootstrap/jQuery modal pop up form and decided in favor of a simple ASP.NET form. The purpose of the pop-up form was for a user to recover his password. That is, he/she would enter their email address and the program would email them their User ID and Password (calling SQL Server database first). Putting such functionality (calling SQL Server and sending email) into a pop-up/modal form turned out to be too complicated. ASP.NET form is much simpler.
Having someone gain access to your site may not be a big deal, but people tend to reuse passwords. Sending out their username and password may end up giving access to any number of other sites that the user uses. The WebSecurity class (
http://msdn.microsoft.com/en-us/library/webmatrix.webdata.websecurity%28v=vs.111%29.aspx) has methods to generate a temporary token and reset the password based off of the token. It also uses hashed passwords in case there is a data breach.
Implementing security like this is a lot like performing backups: it doesn't seem like its important until something goes wrong.