assuming I prefer to send a new password to the user instead of a link to where he can reset it.
Is it possible?
This is not a good security practice. You should never know/store any users password.
EDIT: These two videos provide a very basic understanding of why/how it works.
Thanks, that was very interesting but it doesn’t explain why not to send the user a new password? e.g like admin can enter google app and send a user a new password. That is what I was hoping to do…but automatically.
Sure, there are probably ways, such as setting a new password but store the encrypted password/token or whatever method you’re using (not the actual password), then send the user the actual password. From then, the server will “forget” about the password. Just brainstorming here, as it’s still a huge security concern to send actual passwords across any method of online communication.
Alright thanks. I’ll stick to the reset password method.