Jump to content


password problem (* solved *)


  • Please log in to reply
7 replies to this topic

#1 Guest_huey4657_*

Guest_huey4657_*
  • Guests

Posted 23 August 2006 - 03:25 PM

Hi,
if when registering a user account and the password is fuzzy (*****) and when the database is updated to include the password as a hash (s;gfjiorgfijg) how do you, when the user wants to change account details, make the password field = *****(fuzzy) instead of the hash value, so the user can use the same password when updating file instead of creating a new password every time they view and update thier account? because the problem i am having is that php is retrieving user accound details and the password field is given the hash value, so when the user updates the password is now the hash value of the hash value.

Or am i to resort to making the user create a new password every time they want to update thier details?

thks for your help

#2 syed

syed
  • Members
  • PipPipPip
  • Advanced Member
  • 151 posts
  • LocationEngland

Posted 23 August 2006 - 03:40 PM

Hi why do you need to retrieve the users password when user is updating their profile. Are you saying you want them to change the password, is so then you can use a password input box.

#3 lessthanthree

lessthanthree
  • Members
  • PipPipPip
  • Advanced Member
  • 85 posts
  • LocationUK

Posted 23 August 2006 - 03:42 PM

It depends on whether you are talking about making a new password due to the old one being forgotten or lost, or just updating the password.

If the old password is lost, there is no way you can retrieve the original value if you are using MD5, SHA1 or similar as these are irreversible hashes that can only be broken via brute forcing.

If you want to change a password, you just get them to enter their current password, and a new password. On submission of the new password verify that the hashed value of the old password they entered matches the hash in your database. If it does, hash the new password and enter that...If it doesn't they typed the old password wrong and you should fail the password change.

Hope that makes sense.
call me a safe bet, i'm betting i'm not

#4 Guest_huey4657_*

Guest_huey4657_*
  • Guests

Posted 23 August 2006 - 03:53 PM

No,
the user can update any account details (fname,sname,dofb,etc...) but the form (input text) holds the values of whats in the database and the user can update any of these input boxes, the problem i am having is the password input box holds the hash value instead of the original value, so when they are saving the new details, it saves the password as the hash value of the hash value. I am trying to find another way around this... because the way i am trying i have to make the password field blank and they have to enter a new password each time they update their account details. does anyone know of a better way of approaching this? maybe have update account details on a different form to change password?

#5 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 23 August 2006 - 03:57 PM

As has been said, If you want to change a password, you just get them to enter their current password, and a new password. Dont put there original password in the form.

#6 Guest_huey4657_*

Guest_huey4657_*
  • Guests

Posted 23 August 2006 - 04:00 PM

Hi,
so what we are saying is if the user is updating/changing account details then dont include a password field, instead have another option on the site to change password?

#7 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 23 August 2006 - 04:13 PM

Why dont you look at how this forum does it? Click on the profile link then, account settings.

#8 Guest_huey4657_*

Guest_huey4657_*
  • Guests

Posted 23 August 2006 - 04:31 PM

thanks for your help guys.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users