If I look at lostpassword.com I see they offer ways into the database.

Best practice would be to never let this insecure database out.

Bob