Forgot password - sending password to user

OniLink

Hi,

I'm trying to make a Forgot Password script and I was wondering is it possible to convert a sha1 encrypted password so that I can send a user their forgotten password.

Thanks for any help,
~Oni.

justsomeone

nope.

You can generate a new one and send them that.

OniLink

I never even thought of that. Thanks heaps for your help mate.

One more question... how would I generate a random password?

Zumm

That's actually the point of encrypted passwords - there is no way (or at least not supposed to, there's always some way...) to decrypt it. If the user types in his password, it will be encrypted and compared with the other encrypted password in the database.

Therefore it is common that you generate a new password and send that, this is also much more secure, for the user will probably change his newly generated password.

Zumm

This is what google gives when looking for "php generate password". I haven't tested this.

http://www.laughing-buddha.net/jon/php/password/

Plasma

Its not encrypted - sha1 (secure hashing algorithm) is a hash.

Its only one way.

justsomeone

The simpluest thing would be to constuct an array of, say, 55 elements. Populate this with the letters a-z in upper and lowercase , the digits 0-9 and some (safe) punctuation characters to make up the balance. To eliminate confusion, I would exclude the letters 'o', 'l', 'O' and the digist 0 and 1. This just because they can appear quite similar in some fonts.

Now you can create a loop to pick elements from this array at random, building up a password. A password length of 6 - 8 should be ok.

If your system supports it, you might want to set the password to "expired" so that when the user logs in with the new password, they are immediately prompted to set it again to somethign meaningful to them.

OniLink

All good ideas, thanks so much for your help. Very appreciated.