Dylan Barber wrote:
I am building a security script and am wondering what should I do to enable
a user to recover his/her password if they forget it.  I currently use
PASSWORD() when inserting the password into the database so I don't know how
to send them a unhashed string.

Can someone direct me to an example or give me a few ideas!

Quote from MySQL manual: "Note: The PASSWORD() function is used by the authentication system in MySQL Server, you should not use it in your own applications. For that purpose, use MD5() or SHA1() instead. Also see RFC 2195 for more information about handling passwords and authentication securely in your application."

Your application should reset the password to some random value for the user rather than giving them their original back and force them to change it the next time they log on.


---John Holmes...

Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/

php|architect: The Magazine for PHP Professionals – www.phparch.com

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to