I know there's been discussion on the list before on this topic, but I'm a little fuzzy on the details.
I want to create a site where users can create an account online, and then log in to search job postings. I want to store their user info and password in a database. I need a way for them to retrieve their passwords if forgotten. I know there are two basic approaches: 1) Storing the passwords using some form of encryption, which can be reversed and the password can be emailed to the user. This seems to me to be preferable, since they don't have to change their password whenever they forget it. However, are there security issues with this? I know many people recommend the second method: 2) Generating a new random password which the user can then use to log in and change to whatever they want. What are the advantages of this, since someone would need access to the person's email address with either method 1 or 2 in order to steal the password? What functions should I be looking at for encryption, for either method? What are advantages and disadvantages of each method? The site will not take credit card information, all accounts are free. So the security issues are much less, but of course you do not want a site where people's accounts are stolen even if there is not money involved. I hope this is clear, -Lisi -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
