gevans Posted February 4, 2009 Share Posted February 4, 2009 I'm writting a lost password script. This is how it's going to work... A user has lost their password... Go to the lost password page enter the email address assigned to the account (also used for logging in) submit form.... email matched against database once found new 8 character random pass is generated password encrypted and updated in database password sent to user via email Now I've done this before and am fine doing it, my only question is, is there more I can do for security other than going down the security question route (which I'm not going to). Quote Link to comment Share on other sites More sharing options...
genericnumber1 Posted February 4, 2009 Share Posted February 4, 2009 Other than using a captcha, request throttling, or some other means to prevent email guessing (some people do it just to be mean), I'm not aware of any methods other than security questions that would work.. that's not to say there aren't other routes to take, just not any I've ever used or encountered. Quote Link to comment Share on other sites More sharing options...
gevans Posted February 4, 2009 Author Share Posted February 4, 2009 Yea, I couldn't think of much else either, might put the security question in place is a problem ever arises. I know that sounds lame.... Q: why not fix the problem before it's started?? A: it's more cost affective not to (at least short term). Quote Link to comment Share on other sites More sharing options...
Philip Posted February 4, 2009 Share Posted February 4, 2009 ...password encrypted and updated in database password sent to user via email They must change their password upon first login. Quote Link to comment Share on other sites More sharing options...
genericnumber1 Posted February 4, 2009 Share Posted February 4, 2009 I typically use security questions for things like this, it's simple for even very inexperienced users to use as long as you implement it correctly. Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted February 4, 2009 Share Posted February 4, 2009 What you could do, is once they enter their email, send them a new password, and when they log in with the new password, ask them to create their own password before they continue. Quote Link to comment Share on other sites More sharing options...
uniflare Posted February 4, 2009 Share Posted February 4, 2009 Naw don't really need security questions, its a form of another password, usually easier to guess :/ since ou know the "topic" of the question.... especially if its stuff like "whats your dogs name"!? like wth!? lol. Your current structure is fine, but i agree with genericnumber1: make sure people cant spam other email addresses. Once a request email has been sent say 3 times (email doesnt always arrive, every1 knows) - you should set a flag on the user profile showing that they need to log in with the new password before they can request another new password. Which is basically limiting the password forget request emails, to 3. Until the owner of the account logs back in. This would be extremely simple to implement, ou dont need any random q stuff. You should definietely have a way of entering a new password for themeselves or changing the current one in some "Account" Link. my 2 cents . its what i would do. Inactive accounts i would delete after a some months. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.