[JJR512]

I have updated my version, attached in Post #17 (above), to incorporate some suggestions from Parker Clack. The change basically checks to see if the person has a secret question/answer before it tries to take the person through the process of answering the secret question.

LoveShack, I'm not sure if I understood what you meant by your Point #1 above. Whether the system uses predefined questions or lets users make up their own questions, either way, the question is going to be visible to anyone who wants to see it. I think if the user can make up his own question/answer, he/she is more likely to use something that he/she can easily remember. Either way has advantages and disadvantages. I happen to like the way I did it, which is why I did it that way; you want it another way, and are going to code that for yourself, so now, like Parker said, we will have even more choices!

(BTW, the added complexity that you alluded to at the end of your post is part of the reason why I avoided going that way! )

I agree that making everything work as lower-case would be a good idea, and I'll work that in sometime tonight, and update my post again.

Regarding your Point #3, I understand what you're saying...I think that using unencrypted answers might be a better idea if you're using predefined questions, per your other suggestion. But for my version, allowing the user to make up his own question, I don't think many people would be too keen on the idea of putting in a question like, "What is my mother's maiden name?" if they know that I'll be able to see the answer. I could take that answer and use it to find out all kinds of things about that person and commit all kinds of fraud. Not that I would, of course, but what I'm saying is that some people will know that that kind of thing is possible. If you use a predefined question you could make a question that people wouldn't care if the board owner could see the answer or not. This is the same kind of debate, pretty much, that raged when vBulletin switched the password system to MD5, as well. There are some advantages to being able to see the passwords. But having them be encrypted was deemed to be more important, so I figured those reasons pretty much applied here, too.