Use a random value for the password reset hash to reduce the chances

that it can be guessed by an attacker.

modules/user/controllers/password.php

@@ -54,8 +54,7 @@ class Password_Controller extends Controller {
     }
 
     if ($valid) {
-      $user->hash = md5("$user->id; $user->name; $user->full_name; " .
-                        "$user->login_count; $user->last_login");
+      $user->hash = md5(rand());
       $user->save();
       $message = new View("reset_password.html");
       $message->url = url::abs_site("password/do_reset?key=$user->hash");