|
|
Posted by d on 10/12/71 11:37
"Mike" <mike@mjfcadsolutions.co.uk> wrote in message
news:1137426305.803937.121870@g43g2000cwa.googlegroups.com...
> Hi,
>
> I've read through many posts talking about password encryption etc.
>
> I want to be able to email the password to someone who has forgotton
> it. Basically, search the MySQL database for the entered email
> address, pick up the password and email it off.
>
> I know password() and MD5 are all one way so other than having to send
> back a new password and get the user to change it, what other way is
> there?
>
> I know for example friendsreunited send you the password back no
> problem. How do you think they would have done it?
>
> And if someone really want to get a password that bad, they will, so is
> there really any point in storing the password in the database as
> encrypted?
>
> Thanks for your help
>
> Mikee
>
It all depends. If you can guarantee that your site is immune to SQL
injection (where query strings/cookies/post vars are manipulated to inject
SQL into your own queries), then you'll be safe enough. If you are certain
that no-one can gain access to your database/code, then it's pretty safe to
keep them as plaintext in the database. Remember, though, that you can also
use a two-way encryption before storing them. Store them as MD5 *and*
two-way encrypted text, and you can just check on the md5 when loggin in
(which is pretty quick), and only resort to decrypting the password when the
user requests it be sent back to them. Best of both worlds ;)
Navigation:
[Reply to this message]
|