1. Make up a random new password, PASSWORD() it, save it to the db while
also setting the password expiration date to 20 minutes in the future,
and setting a 'must change password flag', and mail the un-encrypted
password along with a link to change it.

2. Each time the visitor signons, check the password expiration date, if
it's in the past then go to step 1.   Otherwise, check the
PASSWORD(visitors input keyword) for validity. If not valid, ask for
password again.  If valid, and must change password flag is set on the
visitors record, force the password change before allowing them any
further.  If you want to get really elaborate, you could store an array
of the last x passwords the visitor used, and not allow them to choose
one of those.

> -----Original Message-----
> From: Sam Folk-Williams [mailto:[EMAIL PROTECTED] 
> Sent: Monday, July 28, 2003 4:05 PM
> Subject: [PHP-DB] un-encrypting passwords
> Hi,
> I've got a PHP/MySQL site that uses a simple user table to 
> check for a valid
> username/password match when logging someone in. I encrypted 
> the passwords
> using mysql's PASSWORD() function. I now realize that was 
> probably not the
> best choice, because I don't think it's possible to 
> un-encrypt them. I want
> to add a feature that allows users to request to have their 
> password emailed
> to them.
> Can anyone recommend a better method for encypting passwords 
> and how to
> unencrypt? (is there a function in PHP for this? Or a different MySQL
> function?)
> Thanks,
> Sam
> -- 
> Sam Folk-Williams
> Service Team Leader/Webmaster
> Rise, Inc -- Creative Partnerships South
> (952) 884 8330 (V);  (952) 884 8371 (F)
> www.rise.org
> -- 
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to