You can always make the email send a password-change confirmation, then regenerate a new password, email them the new password, then md5 it to your db.
I am creating a PHP script and using mySQL with it for the first time. I have been going along smoothly until my send password reminder... For passwords in the mySQL db i wanna have them in md5 format for security reasons, but because of this the password reminder e-mail sends the password in md5 format rather than the password the user types in.
Any ideas?
ezyrewards.com - Free iPods, Domain Names, Vouchers and more.
Now with over 75,000 members!
You can always make the email send a password-change confirmation, then regenerate a new password, email them the new password, then md5 it to your db.
That's good thinking! Problem solvedOriginally posted by Canuckkev
You can always make the email send a password-change confirmation, then regenerate a new password, email them the new password, then md5 it to your db.
Thanks
ezyrewards.com - Free iPods, Domain Names, Vouchers and more.
Now with over 75,000 members!
well, generating a new password is a common method in retrieving lost password. since md5 is one way hash, in cannot be decrypted. consequently, a new password has to be generated when user loses his / her.
what to be considered deeply is to generate user friendly passwords. for example, mail.yahoo.com retrieving password by grabbing database which contains familiar words (with combination of special characters and alphanumerics) and pops a random password from the database. this is a better way instead of generating "meaningless" new passwords.
however, there is another way. that is to use two way hash. you can use, for example "base64_encode" and "base64_decode" combined with special function (to fuzzy up password cracker programs). with this method, user will never lose his / her password.
it depends on you to decide.
Another way would be to send a password reset link through email.
You generate a random password, store the MD5 hash in the database, create a password reset page and include a link like http://yourdomain.com/passwordreset.php?username=user&passreset=randompassword
If they click on it they get a page that asks them to choose a new password.
A lot of people will use the same password over and over for a dozen different things, so having it stored in a way that could potentionally allow someone to "hack" them isn't very secure.
Last edited by CareBear; February 15th, 2004 at 07:21.
its never wise to pass a password or username using get
it depends on the system.its never wise to pass a password or username using get
although it's unwise. the link is sent to user's email such that only hijackers (or some people right there) will feel interested in it.
advanced system will use intricate password recovery mechanism and we wouldn't talk about it here, right??
Considering it's only a one time valid only password that will get reset as soon as the page loads there shouldn't be a problem.Originally posted by spec
its never wise to pass a password or username using get
md5 encript in PHP is not same with md5 in MySQLOriginally Posted by bozley05
it is the same...
and this thread is kinda 1 yr ago.
Posting Permissions
Bookmarks