>>>
>>>Having someone gain access to your site may not be a big deal, but people tend to reuse passwords. Sending out their username and password may end up giving access to any number of other sites that the user uses. The WebSecurity class (http://msdn.microsoft.com/en-us/library/webmatrix.webdata.websecurity%28v=vs.111%29.aspx) has methods to generate a temporary token and reset the password based off of the token. It also uses hashed passwords in case there is a data breach.
>>>
>>>Implementing security like this is a lot like performing backups: it doesn't seem like its important until something goes wrong.
>>
>>Yep - this is WAY more important than you might think and people DO reuse passwords like crazy. What might happen if one of those passwords happen to also be their e-mail password? Think of how many OTHER websites let you reset passwords just through e-mail (and how much information about a person is contained in e-mails). Those people would basically be screwed.
>
>Here is to share with you of how secure my customers' business approach. As I mentioned before, the user IDs and password for all web users are currently assigned by an administrator (senior secretary :)). And very often ALL users would be assigned THE SAME PASSWORD and different User ID. Use ID would be usually something that is easy to remember. For example, their department Cost Center. Everybody in the organization knows each other department cost center numbers. So logging with a different user ID and password is a piece of cake. And even in this simple scenario some people forget their passwords {bg}. So I need to help them to recover their password and ID.
>Having said it, I am also working on a module that would allow users themselves to create account and enter user ID and password. In this case, I agree, the security of their password is important.

IMO assigning user IDs and passwords on their behalf is a terrible idea, for exactly the reason you identify. Once you've got it, you've got them all.