On 26 May 2010 02:03, DaveG <[email protected]> wrote: > On 5/25/2010 12:35 AM, V.Krishn wrote: >> Somehow I think sha1($email.$username.$password) should be sufficient. >> Secondly, >> As no user info(including email) is stored on server, >> what would be the method to resend new password when lost? > > You would never resend a password, but would rather reset it. So if the > email address is not stored, then basically follow the same process as > initial sign up. > > Note, I'm not suggesting there is no need to store email. Simply > highlighting it's not needed for password resets.
Ummm, how exactly? If the server only keeps the username and password hash, how do you verify that the email address a password reset is sent to is that user's email address? How do you prevent an account being highjacked just by knowing the username? eemeli _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
