- Alternate Email - option to require alternate email to send p/w reset link to (this requires a user to have access to that email, rather than just have the reset occur instantly). Also, make this reset link expire in X minutes (say 60 by default?). Would prefer that alternate email either is specified by a logged-in user, during account creation or something an admin can enter in/manage later on the backend at the user level.
- Password Complexity - AFAIK there's no way to require users' passwords to be of any required complexity level; it would be nice to have a few options at the user/group level to set min/max of characters, requirement of ucase / lcase / numbers / symbols, requirement that the last X passwords can't be re-used, and a password expiration threshold (say 0-X days, where 0 just disables expiration). If I could get AMS to talk to Active Directory, though, that would be even better (I would just match email accounts to AD users)
- Captcha on password reset page - if I could require the same captcha on the 'forgot your password?' page where a user enters their email (same options as for webmail) that would be nice.
I'm guessing p/w reset requests are logged, not sure if anti-hammering comes into play here, but if currently it isn't, it should
![Wink ;)](./images/smilies/icon_e_wink.gif)