I am new here and this is my first post.
Something I noticed when registering to the forum, when I forgot my new password: I went to reset the password and got a link via e-mail.
That link took me to a non-encrypted web page, where I could have sent my new password unencrypted over the internet. I changed the link to "https" and it worked.
Suggestion: make the password reset go to an https connection and send an https link when a password reset is requested.