You should give some consideration to _not_ emailing passwords.
Many popular sites rely on double entry of a password during registration
which reduces the need to email the password to the user during confirmation
of their registration.
The fact that most users have only 1 password which they use for /every/
registration process would make that email even more redundant (and quite a
large security risk for the user!).
The lost password procedure could just involve emailing the user a 'reset
password' link (perhaps even after asking for a mother's maiden name or
similar). IMHO this gives a very good security/ease-of-use trade-off.
-- ___
| |
|--+--
| |.HushFriend (you'll see).
.Stefan Holmes.
> -----Original Message-----
> From: Ian Firla [mailto:[EMAIL PROTECTED]
> Sent: 26 August 2004 14:25
> To: Aaron Todd
> Cc: [EMAIL PROTECTED]
> Subject: Re: [PHP] Re: crypt()
>
> On Thu, 2004-08-26 at 15:01, Aaron Todd wrote:
> > Thanks for the tip, it worked great, however everything I have been
> reading
> > says that md5 is only one way. The way I have setup my app is the
> database
> > contains the encrypted version of what the user entered as their
> password.
> > Then on my login page there is an if statement that encrypts what the
> user
> > is entering as their password and then checking that against what is in
> the
> > database for them. This is working great!...Thanks again.
> >
> > My registration page is where the password gets encrypted and then sent
> to
> > the database. After the user registers and I accept them as a user they
> > recieve an email containing their username and password. But the
> password
> > is encrypted. Is there a way to decrypt the encrypted password in the
> > database? Or am I going about this wrong?
>
> Send the password before it gets encrypted and put into the database.
>
> You can't decrypt an md5 encrypted password.
>
> Ian
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
