If a user changes their password, it would change it to the sha1 hash of their email address. In handlers/user.php, on line 108: $password = ", password='".$db->res(sha1($_POST['email']))."'"; Should be $_POST['new_password']