We've seen this problem as well -- in this case we simply create a new password for the user and ask them to change it first time they log on.
Clayton -----Original Message----- From: A mailing list about Java Server Pages specification and reference [mailto:[EMAIL PROTECTED]] On Behalf Of Bhushan_Bhangale Sent: 04 July 2002 11:29 To: [EMAIL PROTECTED] Subject: Re: Password encryption This is also fine but there comes situations where we need to send the password to the user. I faced this situation with my client and we had to move from Md5 algo to Cryptography. -----Original Message----- From: Clayton Nash [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 04, 2002 3:50 PM To: [EMAIL PROTECTED] Subject: Re: Password encryption Both of these replies are good, but what you really want to do is MD5 or SHA encode the password and store the hashed result. Then when the user enters their password, you apply the same algorithm to that, and compare the results. Advantage is that you never store the user's password so even if someone get's the list of passwords, they can't decode them -- in theory no-one ever can. Clayton ========================= To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com