Don't let them change it to whatever they want - have your program/system
create a new, random password and e-mail it to the user's account. Unless
the malicious person has a way to intercept the e-mail - which is possible -
it's kind of useless. But how else are you going to get that information to
them? You also might try the "Answer your secret question" routine, where
you type in a question that only you know the answer to, and you answer it
to get the e-mail sent off...
- Jonathan
"Jeff Oien" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I like the new password idea. How do I make sure it's them who's creating
> a new password so that someone else doesn't maliciously change their
> password? If someone knew someone's username and e-mail address
> I would think they could change it. Thanks.
> Jeff
>
> > This doesn't seem to solve his problem of encryption, however. If you
really
> > want secure encryption, you'll be using one-way encryption, which means
it
> > cannot be decoded/decrypted/unencrypted/whatever. If you want to use
this
> > method, then instead of sending them their password, it would be best to
> > create a NEW password, send it via e-mail, then encrypt and store the
new
> > password in the database, overwriting the old one.
> >
> > If you only want mild security on the passwords, you can always use some
> > encode() and decode() like base64 encoding/decoding. It's not really
> > "security" but it might discourage some script kiddies or hacker
wannabes.
> > Or you can be a little more creative and create your own password
> > encryption/decryption, which would be a bit harder to break, depending
on
> > the level of complexity of the algorithm.
> >
> > - Jonathan
> >
> >
> > "Russ Michell" <[EMAIL PROTECTED]> wrote in message
> > news:SIMEON.10108311759.J@k1c. anglia.ac.uk...
> > > Have a registration screen that inserts their names, email etc *and*
their
> > choice of username +
> > > password:
> > >
> > > $sql = "INSERT INTO <table> (username,realname,password,email) VALUES
> > > ('$username',$realname',password('$password'),'$email')";
> > > $result = mysql_query($sql,$connect);
> > >
> > > //and do a check if the username chosen exists already:
> > >
> > > $chksql = "SELECT username FROM <table> WHERE username='$username'";
> > > $chkresult = mysql_query($chksql,$connect);
> > > $check = mysql_num_rows($chkresult);
> > > if ($check == 0)
> > > echo "this username already exists, select another.";
> > > }
> > > else {
> > > echo "continue!";
> > > }
> > >
> > > if they have fogotton their password after registering, then have a
link
> > that sets a variable, and
> > > check or this variable at the top of the page:
> > >
> > > <a href=\"$PHP_SELF?id=lostpassword\">go here to retrieve lost
> > password</a>
> > >
> > > if '$id' is set then have the user input their password and email
address
> > (the one they registered
> > > with) and query the database for a username on the basis of the
inputted
> > info, and email it using
> > > mail() to that email address!
> > >
> > > Use the same method for a lost username, they can then input their
> > password and email and the
> > > system will mail them the lost details!
> > >
> > > Good luck!
> > > Russ
> > >
> > > On Fri, 31 Aug 2001 10:38:53 -0500 Jeff Oien <[EMAIL PROTECTED]>
wrote:
> > >
> > > > I would like users to be able to request to have their password
> > > > sent to their email address if they forget it. I would also like it
> > > > encrypted in the database though. How is this best handled?
> > > >
> > > > The security isn't real important. But I let users choose their
> > > > own password and if they use a password they use for other
> > > > things I think it would be best for it to be encrypted.
> > > > Jeff Oien
> > > >
> > > > --
> > > > PHP Database Mailing List (http://www.php.net/)
> > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > To contact the list administrators, e-mail:
[EMAIL PROTECTED]
> > > >
> > >
> > > #-------------------------------------------------------#
> > >
> > > "Believe nothing - consider everything"
> > >
> > > Russ Michell
> > > Anglia Polytechnic University Webteam
> > > Room 1C 'The Eastings' East Road, Cambridge
> > >
> > > e: [EMAIL PROTECTED]
> > > w: www.apu.ac.uk/webteam
> > > t: +44 (0)1223 363271 x 2331
> > >
> > > www.theruss.com
> > >
> > > #-------------------------------------------------------#
> > >
> >
> >
> >
> > --
> > PHP Database Mailing List (http://www.php.net/)
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> >
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
