- priority: 5 --> 7
Hitting the 'e-mail me my password' button on the login
screen causes the previous password to become invalid; the
new password has to be used to log in.
This is problematic because it's not too hard to hit the button
accidentally (in Safari 1.0, if you hit "enter" in a form text
control, it submits using the _last_ submit button in the
form, which is 'mail my password' instead of 'login'). Also it
allows a denial of service tactic whereby a third party can
lock you out of your bug tracker account and flood your e-
mail box by generating a lot of new passwords for you.
A better solution might be to store the new password in
another field, and check against both passwords on the next
login, then clear the new password field. If the new login
was used, reassign the current password to match,
otherwise let it expire.