Something that involves the user's e-mail address would probably be ideal. That's as secure as you can make it, if somehow they got both their EQEmu forum account and their e-mail hacked well, they're screwed in more ways than just their EQEmu account.
To change a LS login you require your current EQEmu forum password + a link is sent to the registered e-mail address with a token to confirm.
To change a EQEmu forum account e-mail address you require current e-mail address sent a token + new email address sent a verification + current password.
|