forgot password

scoppc

I would like to implement the 'forgot password' feature but at the same time I want all the passwords stored in my database to be encrypted (using MD5).

The problem is I couldn't find the best way to incorporate both at the same time because 'forgot password' needs to send the password to users' email and obviously it is not in encrypted form.

Anybody has any suggestion?

Thanks.

peace,

scoppc

"May All Beings Live In Happiness"

Anon

well, the way it works is when they click "forgot password" and enter their e-mail address, create a new random word, insert it into the database in an encrypted format, and then send the plain text password to them. In the e-mail tell them to change it immediately...

there isn't really much else you can do... there is certainly no point in sending them the encrpyted password...

leifr

Hi!

MD5 is an one-way-encryption so you won't be able to decrypt the password. You may either save it without crypting or you could set a new random generated password which will be sent to the user.

Leif

Anon

Instead of sending the actual password in the email message, you could send a link to a PHP page in where you make the user to choose a different password.

When the user clicks on the link, it goes to this page, and changes the password, thus the old password is never displayed...

Not sure if this idea can help you...

Cesar

scoppc

Is there any other way instead of creating a new password for the users?
Coz, I have seen so many 'forgot password' feature that could send you your password! Don't tell me they do not encrypt the password in their database.

Anyway, the suggestions that you all have given are cool. (^_⁾

Anon

hey

when you encrypt something with md5, you can't decrpyt it (i.e. it is one-way encrpytion)

so if a website is able to send you your old password it does unfortunately (most likely) mean that they are not encrypting them in the database...

[deleted]

Nice idea but; if you're worried about people getting the password by reading the email, what's the point of sending an URL that lets you change set password instead? Getting a way to set the password is the same as having the password.

Anon

I have always did it with the forgot password they click, enter email and it 1) finds the email (If no email it just tells them that they are retarted) ASSUMING IT IS A VALID EMAIL THEN IT GOES TO --> 2) it generates a random number and places it in the DB under password 3) Mails the person the password (From their email when they signed up) and has a link to change it in the email. 4) that link simply just has a enter old (number) enter new and it will update the database. It will also update the MD5er. If I am "wrong" then I really don't care cause it works for me. Unless you have a huge security flaw that you see, and I don't. Vincent I know you must see one here. You always do! 😉
Ziggs