On Mon, 29 Jul 2002 17:30:48 -0400, you wrote:
>Is it really necessary to store passwords encrypted in a mySQL DB for a
>membership site if you're not storing sensitive info such as credit card
>numbers? How much security does that offer, really, and for whom?
>The reason I ask is because I'm trying to implement a "forgot password"
>feature on a membership site.
My two cents...
I'm generally in favor of encrypting passwords, for the same reason
that another poster mentioned: People use the same password for
multiple accounts/sites/etc. I know that I do. And if I knew that I
just signed up for some account/service and the people hosting it were
storing my password in plain text, I would be a bit perturbed. I
would think them at least amateurish, probably careless, and possibly
With that said, sometimes plain text passwords are called for. But
when you use them make *certain* you inform the user when they sign
up. For example, many mailing lists store passwords in plain text and
email you a reminder, with your password, at a certain interval.
These mailing lists usually warn you in advance to not use one of your
secure passwords, since it will occasionally be emailed in plain text.
This is an example of where storing in plain text is fine, because
mailing lists aren't critical things, and the convience of being able
to remind people what their password is outweighs any security
If you decide that you want to encrypt the passwords, but you still
want a secure way to remind people what their password is, you can
either use the unique authorization code method that one other poster
mentioned (I have some Perl code that handles that for a project I'm
working on, if you're interested), OR you can use the secret question
secret answer method. This is where you ask the user to enter a
secret question such as mother's maiden name, favorite color, etc. and
also to enter the answer. Then later you can ask them the question
and compare their answer to determine if they are who they say they
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php