On Mon, 29 Jul 2002 17:30:48 -0400, you wrote: >Is it really necessary to store passwords encrypted in a mySQL DB for a >membership site if you're not storing sensitive info such as credit card >numbers? How much security does that offer, really, and for whom? [...] >The reason I ask is because I'm trying to implement a "forgot password" >feature on a membership site. [...]
My two cents... I'm generally in favor of encrypting passwords, for the same reason that another poster mentioned: People use the same password for multiple accounts/sites/etc. I know that I do. And if I knew that I just signed up for some account/service and the people hosting it were storing my password in plain text, I would be a bit perturbed. I would think them at least amateurish, probably careless, and possibly untrustworthy. With that said, sometimes plain text passwords are called for. But when you use them make *certain* you inform the user when they sign up. For example, many mailing lists store passwords in plain text and email you a reminder, with your password, at a certain interval. These mailing lists usually warn you in advance to not use one of your secure passwords, since it will occasionally be emailed in plain text. This is an example of where storing in plain text is fine, because mailing lists aren't critical things, and the convience of being able to remind people what their password is outweighs any security concerns. If you decide that you want to encrypt the passwords, but you still want a secure way to remind people what their password is, you can either use the unique authorization code method that one other poster mentioned (I have some Perl code that handles that for a project I'm working on, if you're interested), OR you can use the secret question secret answer method. This is where you ask the user to enter a secret question such as mother's maiden name, favorite color, etc. and also to enter the answer. Then later you can ask them the question and compare their answer to determine if they are who they say they are... HTH -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
