Password Storage

Anon

Hi. I am in the process of creating a gaming community site. For this people can login once and have access to the forum, reviews and everything. My problem is with how to store the passwords in the database. If I don't encrypt them they are unsafe. But if I do MD5 them then people can't use a forgot password link to get the password back.

I could just assign a new password when they click forgot password, but then someone else could screw with another persons password just by entering in their email.

Any suggestions?

Thanks,

`Kevin

Anon

send the new password upon forgot password request only to the original member's email add.

so other person will not be able to see it.

Anon

Yes I know. But that causes inconvienience if Person A enters Person Bs email address. Then Person B will be assigned a new password when they didn't want one.

`Kevin

Anon

Well, I think it's very simple...

1) Passwords should be encrypted by md5()
2) The user must provide a username and an email address
3) Check whether the email belongs to the username
4) Generate a new password and send it to that email address

or you can ask a user defined secret question to check the user

Bye
Peter

Anon

if your server is properly secured, they won't find those passwords that easily, will they? You don't expect everybody to log into your db and sniff all content, do you?