I work in network security, so I am security aware on a lot of things. Especially when it comes to software I use (like now, XenForo!). I like XenForo, but one thing really stung me uneasy about using it. When a user resets their password, it is sent to their e-mail address. SMTP connections typically are plain-text connections. If they are somehow intercepted somewhere between the source and the destination, anyone would be able to use these passwords to log in to an account (especially since they have the user's e-mail address as well). Now I know it is only meant to be a temporary password, but it still strikes me as unsecure. In a perfect world, someone would immediately log in and change it. Obviously we do NOT live in a perfect world I know I am being maybe overly paranoid about it as the likeliness of this happening are very slim, but it is part of my job to think about these types of things so normally I apply it to personal things as well to try and be as secure as possible. After typing all that, I'm sure this *may* have been brought up before. If it has and has been discussed, I apologize, but I did a search and could not find anything near relevant.