Is it really necessary to store passwords encrypted in a mySQL DB for a
membership site if you're not storing sensitive info such as credit card
numbers? How much security does that offer, really, and for whom?
The reason I ask is because I'm trying to implement a "forgot password"
feature on a membership site. But if I store passwords encrypted, I can't
just send the password to their e-mail address, I have to generate a new one
before sending it, which essentially locks that member out of the site until
they get their new password. This has the potential to be abused by a
vindictive person. All they need to know is the member's username or e-mail
address and they can keep re-generating new passwords (locking the member
out of their own account) for a member to annoy them.
If the password wasn't encrypted, I could just e-mail their existing
password. The only annoyance then would be someone sending this password
over and over to another user, but, at least they won't get 20 new passwords
and be locked out of their account as a result.
If anyone else has dealt with this issue, I'd appreciate your insight.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php