Very true -- forgot to mention that step :) Thanks for the reminder!!
Justin on 18/02/03 12:49 PM, Jason Sheets ([EMAIL PROTECTED]) wrote: > If you do a password reset system please remember not to reset the > password before they confirm who they are. > > This means instead of having them entering their login and email address > and immediatly resetting their password send the account owner an e-mail > with a link that will reset their password, if you have SSL make the > link go over SSL that way the traffic is secure. The link should > contain a unique id that was randomly generated and stored in the > database, when they click the link validate the account name, email > address and the unique id, if they match reset the password and remove > the unique id from the list of approved id's, this prevents someone from > replaying the URL and resetting the password again. > > Jason > > On Mon, 2003-02-17 at 17:48, Justin French wrote: >> on 18/02/03 3:59 AM, Vernon ([EMAIL PROTECTED]) wrote: >> >>> I'm thinking that the MD5 function more than likely encrypts a password to >>> store into a database, and when you log in using the MD5 function it will >>> simply encrypt the value being passed along again the same way. Now I'm >>> wondering what happens when I user has lost there password and needs to >>> retrieve it, there is no way to reverse the process is there? >> >> No, there isn't -- md5() is NOT encryption (a 1 meg file and a 5 character >> password will both have the same length md5 value). >> >> You would need to write a script which resets their password, and sends it >> to them via email. >> >> If they've fogotten what password they set, then they're obviously not too >> precious about it being the same password. Reset it to something random, >> send it to them via email (handy for confirming their email address is still >> valid), and let them login with that password, and change it to something >> else if they wish. >> >> Justin French >> >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
