I know there's been discussion on the list before on this topic, but I'm a 
little fuzzy on the details.

I want to create a site where users can create an account online, and then 
log in to search job postings.  I want to store their user info and 
password in a database. I need a way for them to retrieve their passwords 
if forgotten. I know there are two basic approaches:

1) Storing the passwords using some form of encryption, which can be 
reversed and the password can be emailed to the user.

This seems to me to be preferable, since they don't have to change their 
password whenever they forget it. However, are there security issues with 
this? I know many people recommend the second method:

2) Generating a new random password which the user can then use to log in 
and change to whatever they want.

What are the advantages of this, since someone would need access to the 
person's email address with either method 1 or 2 in order to steal the 

What functions should I be looking at for encryption, for either method? 
What are advantages and disadvantages of each method?

The site will not take credit card information, all accounts are free. So 
the security issues are much less, but of course you do not want a site 
where people's accounts are stolen even if there is not money involved.

I hope this is clear,


PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to