The "forgot password" system uses the "gen_random_string" function to generate the new password, which includes this line:
It seems to be designed to ensure that passwords don't contain both zeros and letter "O"s, as these look much the same in many fonts and could be confused.
But just removing the number '0' is only half of a solution to this problem. Not knowing that passwords can never contain a zero, users could also think that the letter "O" in their password is a zero and will not be able to log on.
I suggest changing that line to: