On Nov 18, 6:57 am, Scott LaBounty <[email protected]> wrote: > All, > > I've just put up another post Ramaze / Sequel. This one talks about letting > a user know their password if they forget. Let me know if you find any > issues. > > http://steamcode.blogspot.com/2009/11/forgot-password.html > > Thanks!
I'll admit to not reviewing the code in detail, because I think the basic design is flawed. You shouldn't be storing the user's passwords directly in the database, it's generally considered a security risk. You should be storing only password hashes in the database, preferably salted per user. Personally, I think challenge questions are stupid. Most challenge questions are easily guessable with a little research. I think only two things are needed: 1) Change password (if you know the existing password) 2) Reset password (if the password is forgotten). Generally this involves sending a link containing a random key to the person by email, and if they click on it, they can reset the password for the account. Jeremy -- You received this message because you are subscribed to the Google Groups "sequel-talk" group. To post to this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/sequel-talk?hl=.
