Question on password retrieval

wing328

Hi all,

I've question regarding password retrieval. Suppose a member has lost its password, in most case the system should provided a way that the password can be emailed back to his email account, which is entered during registration.

My question is whether this method is safe or not since the email is not encrypted in anyway and therefore it's possible for someone else to inspect the content of the email.

Are there any better way to do the same thing??

Best,
Wing

cgraz

i don't know what database you're using, but for MySQL (the one that seems to be most popular on these boards), you should be storing an encrypted version of the password in the database. This is one-way encryption which cannot be reversed; thus, you shouldn't be able to mail the persons password back to them.

You could store an unencrypted version of the password, but if you do that, then there is no point in worrying about encryption between emails because you're not taking care of proper security on your server.

I'd store encrypted passwords in the database. If they lose their password, generate a new one.

Cgraz