&quot;Forgot Password&quot; question

"Forgot Password" question

bluetonic

What are the thoughts on how to save an email in a database? I currently encrypt with SHA but it is one-way so if someone forgets their pw, it isn't retrievable. My site won't have any sensitive information like cc #'s, so I don't need fort knox. If I want to offer a link "Forgot password," what is the best practice?

dagon

why are you storing an email hashed (if its SHA its hashed not encrypted) in the first place?

bluetonic

email is supposed to be password.

dagon

oh so you hash password (standard practice) if they forget, you reset it and send the new one to there email address, at least that's how its usually done.

bluetonic

OK. So best practice is to just give them a new one and then allow them the opportunity to change it back some how. I wanted to make sure there wasn't some key that could lock and unlock a password.

dagon

the way i suggested is standard practice, but you could use encryption instead of hashing if you really wanted to, then you could send them the password they set.