limitphp Posted December 5, 2008 Share Posted December 5, 2008 To set a new password, I'm adding a security question and answer. Do you think its necessary to store the security answer they give in the database encrypted like passwords? Also, do you think its necessary to handle the security answer on the html form as password type? <input type=password name=securityAnswer> I'm don't have SSL on my website, and probably won't be able to get it until it gets popular and makes me a little money to pay for it. Quote Link to comment https://forums.phpfreaks.com/topic/135705-solved-security-question-and-answer-store-and-handle-like-passwords/ Share on other sites More sharing options...
keiran420 Posted December 5, 2008 Share Posted December 5, 2008 Sure, couldn't hurt, the more security mesures added, the better really... Saying that though, i would hope you security question would email the new password to the registerd email address.. thus making the security answer kind of pointless without access to that email.... Quote Link to comment https://forums.phpfreaks.com/topic/135705-solved-security-question-and-answer-store-and-handle-like-passwords/#findComment-707053 Share on other sites More sharing options...
premiso Posted December 5, 2008 Share Posted December 5, 2008 Very possible, just md5 the security answer. And when they try to use you just have to check against the md5 hash. I usually handle it on the form as a non-password type. Cause the password type is just to prevent people looking over your shoulder from seeing. Just remember it will case sensitive if you use the md5 hash. Quote Link to comment https://forums.phpfreaks.com/topic/135705-solved-security-question-and-answer-store-and-handle-like-passwords/#findComment-707060 Share on other sites More sharing options...
limitphp Posted December 5, 2008 Author Share Posted December 5, 2008 Sure, couldn't hurt, the more security mesures added, the better really... Saying that though, i would hope you security question would email the new password to the registerd email address.. thus making the security answer kind of pointless without access to that email.... Yeah. Basically, on the frontpage there's a link users can click called "forget password". Once there, they enter in their username. Once a username matches, it takes them to a form for them to fill out their: fname, lname, email address, (it shows their security question) and their security answer, and a recaptcha. Once they submit that, if all entries match the user table (email included) I will send a reset password to their email address from the user table. So they have to know name, email address and security answer to reset password. The only thing I see about this system is, people can use it to easily see if a username is taken. I don't know if thats neccessarily a horrible thing, though. Quote Link to comment https://forums.phpfreaks.com/topic/135705-solved-security-question-and-answer-store-and-handle-like-passwords/#findComment-707067 Share on other sites More sharing options...
limitphp Posted December 5, 2008 Author Share Posted December 5, 2008 Just remember it will case sensitive if you use the md5 hash. Ooooo.......thanks for telling me that! In that case, i don't think I want to hash it. If its several words long, they might not remember if they capitalized anything. Quote Link to comment https://forums.phpfreaks.com/topic/135705-solved-security-question-and-answer-store-and-handle-like-passwords/#findComment-707071 Share on other sites More sharing options...
gevans Posted December 5, 2008 Share Posted December 5, 2008 Let them do it as they like, but make your string lower case before hashing it. Do that when you add it, and check it; $name = strtolower($name); Or you could just tell them it's case sensitive, they should remember!! Quote Link to comment https://forums.phpfreaks.com/topic/135705-solved-security-question-and-answer-store-and-handle-like-passwords/#findComment-707077 Share on other sites More sharing options...
premiso Posted December 5, 2008 Share Posted December 5, 2008 Just remember it will case sensitive if you use the md5 hash. Ooooo.......thanks for telling me that! In that case, i don't think I want to hash it. If its several words long, they might not remember if they capitalized anything. Or just strtolower all the answers and when they submit it do the same before you hash it and you are good. Quote Link to comment https://forums.phpfreaks.com/topic/135705-solved-security-question-and-answer-store-and-handle-like-passwords/#findComment-707079 Share on other sites More sharing options...
limitphp Posted December 5, 2008 Author Share Posted December 5, 2008 dang you guys are clever! Nothing ever gets by you guys.....its ridiculous. I'll do that. Thanks guys! Quote Link to comment https://forums.phpfreaks.com/topic/135705-solved-security-question-and-answer-store-and-handle-like-passwords/#findComment-707081 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.