|
Posted by Gordon Burditt on 12/18/46 11:50
> I am new to PHP and am working on a login system for my site,
>currently supplied passwords are passed to MySQL and stored as md5 hashes,
>my question is :- seeing as md5 is 1 way only what would be the best way to
>implement a 'Forgotten Password' system whereby the user supplies an e-mail
>address and the password is mailed to the user?
Keep in mind that the "Forgotten Password" system can and will be used
to mail-bomb a user with his password if you let it be used too often.
> The process does not require military level security but I would like to
>keep stored passwords as hashes.
The point of keeping stored passwords as hashes is to make it impractical
to get the plaintext password. This is somewhat contrary to the objective
of being able to recover the password. You could keep both. In that
case, why keep the hash?
Gordon L. Burditt
[Back to original message]
|