But the real crime here, is in the fact you're *emailing* the password in response to a password reset request. Not to mention, you're not resetting the password at all. Even if you feel the first 2 are defensible, build a damn reset page that regenerates and displays new creds