Q&A is great... but not if it will only send the existing password. Optimal functionality would let the admin decide to use hashed, and then when the user passes Q&A, send them a new randomly generated password which they must change upon logging in.
Almost all the pieces are there. There is a "reset password" link for admins already in 4.4.1, an admin can force the password change, the email functionality is there of course... now the Q&A is being added... all that is left is to tie it together I'd think.
Workflow: User clicks "Forgot Password" link > goes through Q&A > random password generated > pwd sent to user > user logs in > user forced to change password.
Is this worthy of putting in Gemini?
This all comes about because my users do not like the idea that I could perhaps decrypt their passwords for my own use. Of course this is immoral and I'd never do such a thing... but they don't know that.
I'd even consider it a serious security flaw. Some hacker guy could setup a site in which people must register to download a free module or something... next thing you know, he's using that username and unencrypted password to try to login to all sorts of sites... banks, credit cards, other pay sites, etc.etc... or decides to sell the information, etc.
Regardless... this is just a worry I have and should be considered constructive... I love DNN and all the work that goes into it, and am thankful for it!