There are a few ways to go about this-
1) The "secret question" method, where the user enters a question
only they would know the answer to upon signing up, and they can
use this to get in if they forget the password. Which begs the
question - why use a password in the first place?
2) Administrator intervention- a request is made to an administrator,
who sets a new password on behalf of the user.
3) Email a generated password- Generate a password, and email
it to the user. However, malicious users could do this to shut off
other people's accounts, so perhaps you should have a two step
process:
a) the user says "I've lost my password" and an email is sent to
said user's email address...
b) the email contains a link to a script, which only then generates
a new password and sends it back to the user. This makes sure
that whoever it making the request at least has access to the
email account listed for that user, and you can be more sure that
nothing too shady's going on :-) Oh, and for verification, the
link could be something like
http://your.site.com/scripts/newpw?oldpw=foo&user=x
where foo is the md5() password already in the database, so in
order to spoof the link the hacker would already need to know
the password or have db axs in the first place :)
Hope I've given you some ideas.
Gfunk - http://www.gfunk007.com/
I sense much beer in you. Beer leads to intoxication, intoxication to
hangovers, and hangovers to... suffering.
----- Original Message -----
From: "Maxim Maletsky" <[EMAIL PROTECTED]>
To: "'Josh G'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, January 16, 2001 1:17 PM
Subject: RE: [PHP] password() ::: and it's return...
> No, simply when someone loses it's password. How do developers return it
on
> their systems? What are the procedures, tips todo, tricks etc....
>
> This is because I am working on a similar system right now, and the
> "password return" part is the one I am not too sure yet. Plus many of us
> would learn something new.
>
> Maxim Maletsky
>
> -----Original Message-----
> From: Josh G [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, January 16, 2001 11:07 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [PHP] password() ::: and it's return...
>
>
> I'm not sure I understand the question. What exactly do you mean? Are
> you talking about returning it from the client already encrypted? Not sure
> if anybody does that, as JS doesn't have a whole lot of useful encryption
> stuff in it, and iirc the md5() algorith is rather lengthy.
>
> Gfunk - http://www.gfunk007.com/
>
> I sense much beer in you. Beer leads to intoxication, intoxication to
> hangovers, and hangovers to... suffering.
>
>
> ----- Original Message -----
> From: "Maxim Maletsky" <[EMAIL PROTECTED]>
> To: "'Chris Lee'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> Sent: Tuesday, January 16, 2001 1:01 PM
> Subject: RE: [PHP] password() ::: and it's return...
>
>
> >
> > Instead I am curious how other developers on this list are returning the
> > MD5, password() or whatever in permanently encrypted passwords...
> >
> > What are procedures and what is the way the return process work?
> > Any tricks/tips to share with all of us?
> >
> > Cheers,
> > Maxim Maletsky
> >
> >
> >
> > -----Original Message-----
> > From: Chris Lee [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, January 16, 2001 10:53 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [PHP] password()
> >
> >
> > simple answer is no. the only way to decrypt the passwd is to run it
> through
> > a cracker. All admins are used to this and know that if a user has lost
a
> > passwd that they are going to have to give them a new one, finding the
old
> > just isnt work one week of processing time :)
> >
> > Im curious to see how other php developers store their passwd's
> > -plain text in db
> > -use of unix password()
> > -use of db password()
> > -other ?
> >
> > Chris Lee
> > Mediawaveonline.com
> >
> >
> > ""Jason Jacobs"" <[EMAIL PROTECTED]> wrote in message
> > 011501c07f3f$c415bcc0$5800a8c0@doc">news:011501c07f3f$c415bcc0$5800a8c0@doc...
> > > Hi. I use password() to excrypt my passwords when I'm adding users to
> my
> > > mysql database. I'm wondering if there's a function to use to
> un-encrypt
> > it
> > > (for a web interface to change the password, and so the admin who is
> > editing
> > > user info can see what it is). Thanks for any help.
> > >
> > > Jason
> > >
> > >
> > >
> > > --
> > > PHP General Mailing List (http://www.php.net/)
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > To contact the list administrators, e-mail:
[EMAIL PROTECTED]
> > >
> >
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> >
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
