unencrypt - forgotten password script?

yarni

Hi all,

I've set up a form that sends a users login and password to a table.

The password is encrypted in the table using password('$password').

My question is how do I write a "forgotten password" script to UNENCRYPT the password for the user if they have forgotten it??

Any help would be really appreciated.

Thanks,

Yarni

laserlight

Store the original password as well (but this tends to defeat the purpose of 'encrypting' the password).
Generate a new password on demand.

Incidentally, you might want to consider using a cryptographic hash algorithm such as [man]sha1/man instead.

justsomeone

Agreeing with laserlight here, rather than decrypting passwords, just give up on it. Find some other way to authenticate your user (quiz them on other registration data, use their email address) and allow them to reset the password, rather than decrypting it.

Kudose

Agreed ... You may want to just generate a new random password and give it to them. Just because someone can answer a few questions, doesn't make them THE authorized user.

I dont know about you, but if someone could guess my favorite animal and get my password in plaintext, I would be pissed.

yarni

lol

Many thanks for your help.

Yarni

justsomeone

Yep, it's always a tricky situation.

I'd be somewhat annoyed too if someone could just reset my password and lock me out of my account.

Even if the new password was sent by mail to a previously registered email address, that can easily be intercepted by the network admin at your ISP / office / internet cafe, who could then beat you to it and chamge the registered email address of your account.

I have seen systems which ask you to identify yourself by keying in details of
- previous orders
- address lines
- birth dates
- last 4 numbers of credit card

I have seen systems that "close the loop" by asking you to confirm by contacting you via
- sending a mail to a registered email address
- sending an SMS to a registered mobile number
- snailmailing something to a physical address

Based on the above, I have seen systems which will
- retreive your password (getting rarer now)
- assign a new one to you
- invite you to set a new one

None of the above systems are foolproof.

Mails, SMS and snailmail cna all be hijacked.

As webusers - the message is clear - Don't forget your password!

As web creators - the message is somewhat less clear - do the best you can to protect your users from identity theft.