good point well made. this system has pretty much everything we need - thanks!
-----Original Message----- From: Ryan Marrs [mailto:[EMAIL PROTECTED]] Sent: 20 December 2001 16:17 To: 'Zach Curtis'; matt stewart Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Decrypting PASSWORD() from MySQL Or what may be even better at that point (to keep someone from pestering another user and changing their password. Email them a randomly generated string based on their username, store that in a database, then send them to a page to enter the string (or pass it through the url.) IE. I'm Joe, I lost my password, I click Lost Password. It emails me this: http://this.domain.com/passwordreset.php?un=joe&gen=2lkfh4j2lk34klb25bmn425k l23k5b Then it will change my password to a randomly generated string and email it to me. After that, it will allow me to change my password. That way you don't have a schmuck in there guessing usernames, or pestering people they don't like by clicking "Lost Password". If someone doesn't check their mail quite frequently, they'll just get "Incorrect Password" and be emailing you for support every 5 minutes. ________________________________________________ Ryan Marrs Web Developer Sandler and Travis Trade Advisory Services, Inc. 248.474.7200 x 183 http://www.strtrade.com -----Original Message----- From: Zach Curtis [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 20, 2001 11:15 AM To: matt stewart Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Decrypting PASSWORD() from MySQL This is how I'm going to work things. Store the password using PASSWORD() in the table. Allow user to request their forgotten username and/or password. If the password is requested, I will reset the password to a random value and store this in the table using PASSWORD(). The username and/or password will then be emailed to the user. I will also provide a location where the user can change their password once they are authenticated in the members area. I think this approach allows the password to maintain a certain level of security and give the user the greatest flexibility on maintaining their password. Zach -----Original Message----- From: matt stewart [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 20, 2001 2:19 AM To: 'Zach Curtis'; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Decrypting PASSWORD() from MySQL I would go for the "generate new random password" approach - email the new random password to the registered email address, then they can log in using it and reset it to whatever they want. probably easier than using lots of code encrypting and decrypting things? Let me know what you decide on, and if you do enc/decrypt stuff, i'd be interested in seeing the code for a similar thing myself! Matt -----Original Message----- From: Zach Curtis [mailto:[EMAIL PROTECTED]] Sent: 19 December 2001 20:27 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Decrypting PASSWORD() from MySQL Thanks for the suggestions. I guess I can try to: A) Store the password in plaintext if I need to retrieve the password. B) Store the password using PASSWORD() and then generate a new random password if needed, replacing the old password. C) Look into mcrypt, ENCODE()/DECODE(), encipher/decipher Thanks, Zach -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 19, 2001 12:56 PM To: Zach Curtis Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] Decrypting PASSWORD() from MySQL Yet another example of ted's out-to-lunchness... Use the mcrypt functions on the password... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.307 / Virus Database: 168 - Release Date: 11/12/01 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.307 / Virus Database: 168 - Release Date: 11/12/01 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.307 / Virus Database: 168 - Release Date: 11/12/01 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.307 / Virus Database: 168 - Release Date: 11/12/01 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]