- ask Silly question - previously stored ("What is your dog's name?")
- if OK, prompt to set new password - move existing to an 'old password' field somewhere
- show warning at next logon for X weeks that password has been changed and that if they want to use their old password to enter it instead - Don't allow password change during this period.
- if they enter old password, replace new with old, delete stored old and prompt for new security question (which has obviously been compromised)
Not 100%, but it will do...
cLive ;-)