#Qaiku

@adewale, that might be a quite good idea. We have used here some old conventions, but this sounds like a better way. One solution could be that once user requests for the password, we'll send them a link to a www page where they have to fill in their screen name or something similiar in order to get the new password. We could also put somekind of time expiration on how long the link is valid, let's say 4 hours for example.

One question comes in mind: I don't know if this is even a valid concern, I just wonder wouldn't adding a more links to the email mesage increase the risk of that email going straight to a spam folder.. Do you or anyone have any tips and/or best practices to avoid this?

This: http://paulbuchheit.blogspot.com/2007... is a good place to start.

Essentially Qaiku staff should never know a user's password and other people's systems should also never know a Qaiku user's password.

The email will come from the standard Qaiku email address and only contain the one link for the reset. That should be fine.

You can look at Jaiku (Apache 2.0 license) and Laconica (GPL) for reasonably decent examples

@adewale, thanks for the link! There are already some precautions taken, but we'll strengthen this side a bit more with a little bit more elegant way as we are going to go through the whole authentication and password model (our own solutions and the platform's) and see if there's any risks left that we can remove anyway.