One weakness with sending a new cleartext password rather than a link is that a cleartext password (probably) has to be engineered to be easy to type in and maybe even remembered. Typically one uses some concatenation of CVC (consonant-vowel-consonant) with common punctuations and/or digits otherwise chosen randomly so something like pom%mur or kiv_ler for 7 chars anyhow, maybe add a digit or two, pom%mur87. A link can be much more random, just some long (64 char or more) string of hexified nonsense for example since the user presumably just clicks it and doesn't have to read it or type it in or worse remember it. SOOOOOO...an attacker could study your cleartext password generation algorithm which for a shorter, simpler, already structured cleartext password will be more likely to be predictable all else being equal. Perhaps the algorithm itself is is even available if you use some identifiable software package such as an e-commerce suite, I can't imagine every person selling paisley socks writes their own password generation algorithm. Or by studying the passwords it generates (create an acct, send yourself a few hundred or thousand.) I'm not just a-whistlin' dixie (I never a-whistle dixie! :-), I'd consider that a serious potential weakness adding more concern to choice of algorithms. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*