A good solution is to reset the password through the screen. 1. Validate the user through some sort of test (secret question or something). 2. Then send them to a screen where they can reset the password themselves to whatever they want. 3. Initiate an email to the stored email address notifying of the password reset (in case an imposter made the change).
It's a little less secure (because of social engineering attacks), but it's fine for a low security site while still maintaining fundamental security at the password data level. Keep in mind the requirement to reset an unknown password really is for your own good. Two way encryption of passwords is unsafe both because somebody can get and use them without the owner even knowing that they've been compromised and because anybody with the decryption key (often anybody with access to the codebase) can get passwords. -Adam On Apr 5, 4:51 am, soniiic <soni...@gmail.com> wrote: > I hope that doesn't mean storing the real password in a table in the > database :) > > On Apr 4, 11:12 pm, Joshua Partogi <joshua.j...@gmail.com> wrote: > > > > > On Apr 4, 11:49 pm, Masklinn <maskl...@masklinn.net> wrote: > > > > On 4 Apr 2009, at 15:38 , Joshua Partogi wrote: > > > > > Dear all, > > > > > I already take a look at the django.contrib.auth.models but could not > > > > find any methods for decrypting the user password. > > > > > Sometimes we need to get the real text password to be sent to user. > > > > > What is the best way to do this? Anybody has got an idea? > > > > > Thank you very much in advance! > > > > Django's passwords are salted[1] and hashed[2]. You cannot[3] retrieve > > > them, and that's exactly the intent (well the intent is not that *you* > > > cannot retrieve them, it's that nobody else can). If you need to send > > > users their passwords, you have to generate new (random) passwords and > > > send them that. > > > > Masklinn > > > Thanks for the explanation Masklinn. :-) > > > I'll find another way to send user their password. > > > Thank you very much. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
