You should give some consideration to _not_ emailing passwords. Many popular sites rely on double entry of a password during registration which reduces the need to email the password to the user during confirmation of their registration.
The fact that most users have only 1 password which they use for /every/ registration process would make that email even more redundant (and quite a large security risk for the user!). The lost password procedure could just involve emailing the user a 'reset password' link (perhaps even after asking for a mother's maiden name or similar). IMHO this gives a very good security/ease-of-use trade-off. -- ___ | | |--+-- | |.HushFriend (you'll see). .Stefan Holmes. > -----Original Message----- > From: Ian Firla [mailto:[EMAIL PROTECTED] > Sent: 26 August 2004 14:25 > To: Aaron Todd > Cc: [EMAIL PROTECTED] > Subject: Re: [PHP] Re: crypt() > > On Thu, 2004-08-26 at 15:01, Aaron Todd wrote: > > Thanks for the tip, it worked great, however everything I have been > reading > > says that md5 is only one way. The way I have setup my app is the > database > > contains the encrypted version of what the user entered as their > password. > > Then on my login page there is an if statement that encrypts what the > user > > is entering as their password and then checking that against what is in > the > > database for them. This is working great!...Thanks again. > > > > My registration page is where the password gets encrypted and then sent > to > > the database. After the user registers and I accept them as a user they > > recieve an email containing their username and password. But the > password > > is encrypted. Is there a way to decrypt the encrypted password in the > > database? Or am I going about this wrong? > > Send the password before it gets encrypted and put into the database. > > You can't decrypt an md5 encrypted password. > > Ian -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php