Is it really necessary to store passwords encrypted in a mySQL DB for a membership site if you're not storing sensitive info such as credit card numbers? How much security does that offer, really, and for whom?
The reason I ask is because I'm trying to implement a "forgot password" feature on a membership site. But if I store passwords encrypted, I can't just send the password to their e-mail address, I have to generate a new one before sending it, which essentially locks that member out of the site until they get their new password. This has the potential to be abused by a vindictive person. All they need to know is the member's username or e-mail address and they can keep re-generating new passwords (locking the member out of their own account) for a member to annoy them. If the password wasn't encrypted, I could just e-mail their existing password. The only annoyance then would be someone sending this password over and over to another user, but, at least they won't get 20 new passwords and be locked out of their account as a result. If anyone else has dealt with this issue, I'd appreciate your insight. Thanks! Monty -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
