Further the systems need to have a way to reset passwords without staff
involved. Most add a couple of security questions to the page the emailed
link takes you to. The link has codes in it to say who you are, but then you
play the questions game to confirm you are you.
But this is a good sign of what level of security is needed where. Simple
list server, no questions. Your bank, a couple of questions. Corporate
services like hosting or DNS, a raft of questions.
-Ken Cameron, Member JMRI Dev Team