|
I'd re-enable the user can change the password only, not the user name, once
and email them the new password, telling them to be sure to keep it safe.
If the new password gets out on the password sites I'd probably cancel them.
I might give them one more chance. If a total of three different passwords of
theirs get out I'd figure they were giving it out and get rid of them.
One thing to be aware of, though, is password file ripping. If a LOT of passwords
get out at about the same time, a cracker probably found a hole in some PHP
script and downloaded your whole password file. That happens a lot if you use
the old DES encryption that was for so long the standard way to encrypt passwords.
That's not the user's fault, of course. In that case I'd upgrade the encryption, which
we can help you with, and assign new passwords to the affected users.
Normally I wouldn't change someone's user name, only their password, so it's
easy to see later if the same users password keeps getting out.
__________________
For historical display only. This information is not current:
support@bettercgi.com ICQ 7208627
Strongbox - The next generation in site security
Throttlebox - The next generation in bandwidth control
Clonebox - Backup and disaster recovery on steroids
|