Hi Just to throw another thought in....
If you do change the password and send it to them, you have to allow for the fact that their email could have changed - left work, service provider went bust etc etc, or somebody could just enter their email for a joke 8*} and get their password reset. I have seen systems where old and new passwords work until you confirm the new one, which is a halfway house, but more programming. The fact is that security is difficult, not technically, but from a human perspective. People are a security risk and educating users in proper security is the best answer, though a lost cause sometimes :) regarding two way encryption see http://www.mysql.com/doc/M/i/Miscellaneous_functions.html and ENCODE(str,pass_str) BFN Peter ----------------------------------------------- Excellence in internet and open source software ----------------------------------------------- Sunmaia www.sunmaia.net [EMAIL PROTECTED] tel. 0121-242-1473 ----------------------------------------------- > -----Original Message----- > From: César Aracena [mailto:[EMAIL PROTECTED]] > Sent: 30 June 2002 21:42 > To: 'databarn'; 'MySQL' > Subject: RE: Soliciting best approach for storing passwords . . . > > > Barn. > > I asked the same question couple of weeks ago and all the answers I got > pointed to one way encryption. Actually, I had the same need that you, > but understood that it was better to reset the password when a "Forgot > password" was made, send it to the user and ask them to change the > password at the next login. > > I suppose you have the same problem that I had... few users who would > get angry if such thing is asked to do. But then I realize that if I > used a very common "words" list to generate random passwords, they might > even learn that password without changing it. > > After all the responses I've get regarding this issue, I never got the > answer to how do a two way encrypting so, if this doesn't help you... > > > -----Original Message----- > > From: databarn [mailto:[EMAIL PROTECTED]] > > Sent: Sunday, June 30, 2002 10:36 AM > > To: MySQL > > Subject: Soliciting best approach for storing passwords . . . > > > > Folk, > > I need some input on how best to store username/password combinations > > online. My preference would be to store a one-way encrypted value, > but > > that is not possible in this situation. The constraint is that we > have to > > make provision for giving the user's password back to the user after a > > "forgot my password" link has been clicked. > > > > (Oh, a secondary input would be on the best way to accomplish the > password > > return to the user <grin />.) > > > > Normally, I store passwords as a one-way hash, then encrypt input to > see > > if it matches, but I can't do that this time: I have to store a clear > > text or decryptable value. I've seen several approaches to this, but > > don't see any clear 'best practice'. Right now I'm leaning toward a > > multiple table design, but I have no real idea if this is a better > model > > than a single table design. I'd really appreciate input from some of > you > > who have wrestled with this problem before. > > > > If it matters, the development box is Win2K/IIS5, PHP 4.0.5, MySQL > > 3.23.32, and the implementation box is *nix/Apache 1.3.22, PHP 4.1.1, > > MySQL 3.23.47. > > > > I'd appreciate any suggestions for a best resolution. Thanks. > > > > > > > > Make a good day . . . > > . . . barn > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > If you're not confused, you're not paying attention > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > > > > > --------------------------------------------------------------------- > > Before posting, please check: > > http://www.mysql.com/manual.php (the manual) > > http://lists.mysql.com/ (the list archive) > > > > To request this thread, e-mail <[EMAIL PROTECTED]> > > To unsubscribe, e-mail <mysql-unsubscribe- > > [EMAIL PROTECTED]> > > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > > > --------------------------------------------------------------------- > Before posting, please check: > http://www.mysql.com/manual.php (the manual) > http://lists.mysql.com/ (the list archive) > > To request this thread, e-mail <[EMAIL PROTECTED]> > To unsubscribe, e-mail > <[EMAIL PROTECTED]> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
