You should email the administrator with a message to that effect.
I have noticed that when as user tells the site that they have forgotten their password, that the site will send the password to their email address.
This is not good practice, when your data gets compromised (one day it will) every password will be there in plain text in the database.
This is bad as come users may use that email address and password combination on other sites.
You should look into SHA-2 hashing of passwords and salting.
And rather than send the password in an email you should send a reset key.
I know that the current specification for the site may have come from someone not as security conscious who thinks that sending a password is more user friendly (although it seems it) but it is a security flaw.
By Bev December 18, 2012 - 11:41 pm
This is very relevant to what has been published in the news, the hacker who targeted over 50 high profile celebs did so through password reminders and finding the answer through google! He’s just received 10 years in prison from the judge but not everyone is so lucky with that result