On 5/26/2010 1:30 AM, Eemeli Aro wrote:
On 26 May 2010 02:03, DaveG<[email protected]> wrote:
On 5/25/2010 12:35 AM, V.Krishn wrote:
Somehow I think sha1($email.$username.$password) should be sufficient.
Secondly,
As no user info(including email) is stored on server,
what would be the method to resend new password when lost?
You would never resend a password, but would rather reset it. So if the
email address is not stored, then basically follow the same process as
initial sign up.
Note, I'm not suggesting there is no need to store email. Simply
highlighting it's not needed for password resets.
Ummm, how exactly? If the server only keeps the username and password
hash, how do you verify that the email address a password reset is
sent to is that user's email address? How do you prevent an account
being highjacked just by knowing the username?
What I meant to highlight was it's not necessary to use a stored email
for a password reset -- thus the reset process could be the same as the
registration process.
As you point out the email/password combo does need to be stored
somewhere in order to actually authenticate.
~ ~ Dave
_______________________________________________
pmwiki-users mailing list
[email protected]
http://www.pmichaud.com/mailman/listinfo/pmwiki-users
