We're using acts_as_authenticated and we'd like to just send users
their forgotten password instead of resetting it. I read that this can
be somewhat risky since you have to decrypt the password to send it.
Does anyone have any thoughts on the risk of doing this and if there
is a better solution?
You cannot decrypt it. It's a one-way hash. (*)
I would recommend doing something like this:
Make an action that will set a password change code string, using the
same methods that the activation code uses. This is a long,
unpredictable string to an attacker. This page will say something
like "Your password has been reset. Please check your email, and
follow the directions within it."
You then mail them a URL which uses this code, say
(the latter part is their unique reset code.) This action will ask
for their login name, a new password, and the verification of that
password. If everything matches, you reset their password (and be
nice and mail them that it was reset.)
This way you never store the clear-text version of their password, and
they can continue to do bad things like use the same password for
their banking accounts.
(*) OK, so you COULD brute-force it, or do some sort of dictionary
attack on it. But why would you want to do this? Storing the hashed
password means that if your database is exposed people cannot just use
the passwords in it to log into any account.