Why do you need/want to change the password? Just keep the (encrypted) passwords in the DB linked to the sign up email address and username. If a user forgets their password you simply decrypt the password in the DB (Crypt::Blowfish and Crypt::CBC are all you need) and then email it back to the registered email address. If someone 'guesses' a username or registered email address (whatever you decide validates the user - either seems logical) it does not matter as the password simply goes back to the registered email address, not the guesser's email address. KISS

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print