You should give some consideration to _not_ emailing passwords.
Many popular sites rely on double entry of a password during registration
which reduces the need to email the password to the user during confirmation
of their registration.
The fact that most users have only 1 password which they use for /every/
registration process would make that email even more redundant (and quite a
large security risk for the user!).
The lost password procedure could just involve emailing the user a 'reset
password' link (perhaps even after asking for a mother's maiden name or
similar). IMHO this gives a very good security/ease-of-use trade-off.
-- ___
| |
|--+--
| |.HushFriend (you'll see).
.Stefan Holmes.
-Original Message-
From: Ian Firla [mailto:[EMAIL PROTECTED]
Sent: 26 August 2004 14:25
To: Aaron Todd
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Re: crypt()
On Thu, 2004-08-26 at 15:01, Aaron Todd wrote:
Thanks for the tip, it worked great, however everything I have been
reading
says that md5 is only one way. The way I have setup my app is the
database
contains the encrypted version of what the user entered as their
password.
Then on my login page there is an if statement that encrypts what the
user
is entering as their password and then checking that against what is in
the
database for them. This is working great!...Thanks again.
My registration page is where the password gets encrypted and then sent
to
the database. After the user registers and I accept them as a user they
recieve an email containing their username and password. But the
password
is encrypted. Is there a way to decrypt the encrypted password in the
database? Or am I going about this wrong?
Send the password before it gets encrypted and put into the database.
You can't decrypt an md5 encrypted password.
Ian
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php