Hi Retrieving lost passwords is a lot less hassle than a setting up a new one, for the user. IMHO a job site would be better with more convenience and less security.
So I would go for option 1 - encrypt / decrypt If you were storing very sensitive information then go for option 2. Peter ----------------------------------------------- Excellence in internet and open source software ----------------------------------------------- Sunmaia www.sunmaia.net [EMAIL PROTECTED] tel. 0121-242-1473 ----------------------------------------------- > -----Original Message----- > From: Lisi [mailto:[EMAIL PROTECTED]] > Sent: 30 June 2002 10:25 > To: [EMAIL PROTECTED] > Subject: [PHP-DB] Storing passwords in a database > > > I know there's been discussion on the list before on this topic, > but I'm a > little fuzzy on the details. > > I want to create a site where users can create an account online, > and then > log in to search job postings. I want to store their user info and > password in a database. I need a way for them to retrieve their passwords > if forgotten. I know there are two basic approaches: > > 1) Storing the passwords using some form of encryption, which can be > reversed and the password can be emailed to the user. > > This seems to me to be preferable, since they don't have to change their > password whenever they forget it. However, are there security issues with > this? I know many people recommend the second method: > > 2) Generating a new random password which the user can then use to log in > and change to whatever they want. > > What are the advantages of this, since someone would need access to the > person's email address with either method 1 or 2 in order to steal the > password? > > What functions should I be looking at for encryption, for either method? > What are advantages and disadvantages of each method? > > The site will not take credit card information, all accounts are free. So > the security issues are much less, but of course you do not want a site > where people's accounts are stolen even if there is not money involved. > > I hope this is clear, > > -Lisi > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php