password problem (* solved *)
Posted 23 August 2006 - 03:25 PM
if when registering a user account and the password is fuzzy (*****) and when the database is updated to include the password as a hash (s;gfjiorgfijg) how do you, when the user wants to change account details, make the password field = *****(fuzzy) instead of the hash value, so the user can use the same password when updating file instead of creating a new password every time they view and update thier account? because the problem i am having is that php is retrieving user accound details and the password field is given the hash value, so when the user updates the password is now the hash value of the hash value.
Or am i to resort to making the user create a new password every time they want to update thier details?
thks for your help
Posted 23 August 2006 - 03:42 PM
If the old password is lost, there is no way you can retrieve the original value if you are using MD5, SHA1 or similar as these are irreversible hashes that can only be broken via brute forcing.
If you want to change a password, you just get them to enter their current password, and a new password. On submission of the new password verify that the hashed value of the old password they entered matches the hash in your database. If it does, hash the new password and enter that...If it doesn't they typed the old password wrong and you should fail the password change.
Hope that makes sense.
Posted 23 August 2006 - 03:53 PM
the user can update any account details (fname,sname,dofb,etc...) but the form (input text) holds the values of whats in the database and the user can update any of these input boxes, the problem i am having is the password input box holds the hash value instead of the original value, so when they are saving the new details, it saves the password as the hash value of the hash value. I am trying to find another way around this... because the way i am trying i have to make the password field blank and they have to enter a new password each time they update their account details. does anyone know of a better way of approaching this? maybe have update account details on a different form to change password?
Posted 23 August 2006 - 03:57 PM
Posted 23 August 2006 - 04:00 PM
so what we are saying is if the user is updating/changing account details then dont include a password field, instead have another option on the site to change password?
Posted 23 August 2006 - 04:13 PM
Posted 23 August 2006 - 04:31 PM
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users