Re:Password Logic
Good thinking. This idea is much better. -w At 10:33 PM 1/4/2004, you wrote: For best practices-sake, if the user forgets their password, you should only be able to generate a new one and email it out I prefer not to send any password via mail (auto or user-generated. If a user forgets his/her password we do a couple of things: 1- user must type the registered email in his account (assuming you ask for an email when registering and it is unique) 2- an email with a link (which holds a random UUID) is sent to the user's email 3- the UUID and the user id is stored in the database along with date/time 4- user has 24 hours to click on the link in the email... after this the link will be invalid (the link will also work only once...) 5- when the user clicks the link, he/she gets two textfields to provide a new password (new password and confirmation) 6- after that the password is reset to the new value a little complex but we mention this to the user in the emails sent that it is for his/her best interest not to send any kind of passwords via mail. hth mauricio -- [ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re:Password Logic
I have plaintext password in database sometimes I want to use hash to encript the password. But I have problem with the password field in database. Its has check constraint to check all the require characters for the valid password. I dont like to drop this check constraint. How do I fix this problem? Thanks John [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re:Password Logic
Good comments. I tend not to like the question/answer combo because more often than not I wont remember what I put as question in the first place and a lot of times wont remember how exactly I wrote the answer (was it mom... or Mom... or mother?), but it IS safer. Maybe we could come up with a new, even better way? Mauricio [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re:Password Logic
John Ho wrote: I dont like to drop this check constraint. How do I fix this problem? Move the logic out of the database and rewrite it in ColdFusion. -- --- Matt Robertson,[EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re:Password Logic
was it mom... or Mom... or mother Don't forget 'mom.' and all the variants thereto.I got burned on that one once. I think some variation of hint/answer is about as good as you're going to get.There are other things you can do, like ask for some sort of supposedly private ID number or somesuch, but nothing is going to be perfect, and maybe not better.I'd love to see someone build a better mousetrap. One thing you can do:Provide a list of questions the user must pick from.City of birth, favorite pet's name etc.Then the user is limited in the creativity they can apply to the question and you can maybe minimize the screwup potential as a result. -- --- Matt Robertson,[EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re:Password Logic
For best practices-sake, if the user forgets their password, you should only be able to generate a new one and email it out I prefer not to send any password via mail (auto or user-generated. If a user forgets his/her password we do a couple of things: 1- user must type the registered email in his account (assuming you ask for an email when registering and it is unique) 2- an email with a link (which holds a random UUID) is sent to the user's email 3- the UUID and the user id is stored in the database along with date/time 4- user has 24 hours to click on the link in the email... after this the link will be invalid (the link will also work only once...) 5- when the user clicks the link, he/she gets two textfields to provide a new password (new password and confirmation) 6- after that the password is reset to the new value a little complex but we mention this to the user in the emails sent that it is for his/her best interest not to send any kind of passwords via mail. hth mauricio [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]