>What about phishing? If the user intends to forget their password completely, using only their OP (which may offer non-password authentication measures, resistant to phishing), phishing would elicit an "What is my password? Gosh . . . I don't know!" from the user :) -Shade