Seems like this happens monthly: member emails me with a brief statement 'like can't get in. help' or 'my password isn't working. won't let me in. i quit'. I used to manually reset their pass and email it to them with instructions on how to change it once they successfully logged in. I now realize that this isn't a good way of handling this as it could be someone attempting to access a user's account through a socially engineered vulnerability (me, the helpful admin). Been thinking about how to best handle this next time. Instruct them to perform a password reset and ignore further pleas for help? Ask them to describe something about themselves (other than location or email address)? Made me think that it might be a good idea to incorporate some required security questions at registration. These questions would be hidden but viewable by an admin and could be used as a challenge when someone reaches out for manual help. Anyone experience this or have other ways of dealing with the situation?