Hi

Retrieving lost passwords is a lot less hassle than a setting up a new one,
for the user. IMHO a job site would be better with more convenience and less
security.

So I would go for option 1 - encrypt / decrypt

If you were storing very sensitive information then go for option 2.

Peter


-----------------------------------------------
Excellence in internet and open source software
-----------------------------------------------
Sunmaia
www.sunmaia.net
[EMAIL PROTECTED]
tel. 0121-242-1473
-----------------------------------------------

> -----Original Message-----
> From: Lisi [mailto:[EMAIL PROTECTED]]
> Sent: 30 June 2002 10:25
> To: [EMAIL PROTECTED]
> Subject: [PHP-DB] Storing passwords in a database
>
>
> I know there's been discussion on the list before on this topic,
> but I'm a
> little fuzzy on the details.
>
> I want to create a site where users can create an account online,
> and then
> log in to search job postings.  I want to store their user info and
> password in a database. I need a way for them to retrieve their passwords
> if forgotten. I know there are two basic approaches:
>
> 1) Storing the passwords using some form of encryption, which can be
> reversed and the password can be emailed to the user.
>
> This seems to me to be preferable, since they don't have to change their
> password whenever they forget it. However, are there security issues with
> this? I know many people recommend the second method:
>
> 2) Generating a new random password which the user can then use to log in
> and change to whatever they want.
>
> What are the advantages of this, since someone would need access to the
> person's email address with either method 1 or 2 in order to steal the
> password?
>
> What functions should I be looking at for encryption, for either method?
> What are advantages and disadvantages of each method?
>
> The site will not take credit card information, all accounts are free. So
> the security issues are much less, but of course you do not want a site
> where people's accounts are stolen even if there is not money involved.
>
> I hope this is clear,
>
> -Lisi
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to