|
Posted by NC on 01/19/06 03:46
Mike wrote:
>
> I want to be able to email the password to someone who has forgotton
> it. Basically, search the MySQL database for the entered email
> address, pick up the password and email it off.
>
> I know password() and MD5 are all one way so other than having to send
> back a new password and get the user to change it, what other way is
> there?
>
> I know for example friendsreunited send you the password back no
> problem. How do you think they would have done it?
>
> And if someone really want to get a password that bad, they will, so is
> there really any point in storing the password in the database as
> encrypted?
Let's start at the end. Encrypting passwords allows the site operator
to retrieve them. Hashing (in theory, at least) makes it more
difficult.
There are at least two ways to deal with the forgotten password
problem. One is to generate a random password and send it to the user
via e-mail with instructions to log on as soon as possible and change
the password immediately. For added security, the login name is
usually not included in the e-mail, so that even if the message is
intercepted, the intercepting party only has a password, but not the
login name.
The second possibility is to have one or more security questions. When
a user forgets her password, she is asked a security question. If the
answer is correct, she is prompted to set a new password.
Cheers,
NC
[Back to original message]
|