Guest huey4657 Posted August 23, 2006 Share Posted August 23, 2006 Hi,if when registering a user account and the password is fuzzy (*****) and when the database is updated to include the password as a hash (s;gfjiorgfijg) how do you, when the user wants to change account details, make the password field = *****(fuzzy) instead of the hash value, so the user can use the same password when updating file instead of creating a new password every time they view and update thier account? because the problem i am having is that php is retrieving user accound details and the password field is given the hash value, so when the user updates the password is now the hash value of the hash value.Or am i to resort to making the user create a new password every time they want to update thier details?thks for your help Quote Link to comment Share on other sites More sharing options...
syed Posted August 23, 2006 Share Posted August 23, 2006 Hi why do you need to retrieve the users password when user is updating their profile. Are you saying you want them to change the password, is so then you can use a password input box. Quote Link to comment Share on other sites More sharing options...
lessthanthree Posted August 23, 2006 Share Posted August 23, 2006 It depends on whether you are talking about making a new password due to the old one being forgotten or lost, or just updating the password.If the old password is lost, there is no way you can retrieve the original value if you are using MD5, SHA1 or similar as these are irreversible hashes that can only be broken via brute forcing. If you want to change a password, you just get them to enter their current password, and a new password. On submission of the new password verify that the hashed value of the old password they entered matches the hash in your database. If it does, hash the new password and enter that...If it doesn't they typed the old password wrong and you should fail the password change. Hope that makes sense. Quote Link to comment Share on other sites More sharing options...
Guest huey4657 Posted August 23, 2006 Share Posted August 23, 2006 No,the user can update any account details (fname,sname,dofb,etc...) but the form (input text) holds the values of whats in the database and the user can update any of these input boxes, the problem i am having is the password input box holds the hash value instead of the original value, so when they are saving the new details, it saves the password as the hash value of the hash value. I am trying to find another way around this... because the way i am trying i have to make the password field blank and they have to enter a new password each time they update their account details. does anyone know of a better way of approaching this? maybe have update account details on a different form to change password? Quote Link to comment Share on other sites More sharing options...
trq Posted August 23, 2006 Share Posted August 23, 2006 As has been said, If you want to change a password, you just get them to enter their current password, and a new password. Dont put there original password in the form. Quote Link to comment Share on other sites More sharing options...
Guest huey4657 Posted August 23, 2006 Share Posted August 23, 2006 Hi,so what we are saying is if the user is updating/changing account details then dont include a password field, instead have another option on the site to change password? Quote Link to comment Share on other sites More sharing options...
trq Posted August 23, 2006 Share Posted August 23, 2006 Why dont you look at how this forum does it? Click on the profile link then, account settings. Quote Link to comment Share on other sites More sharing options...
Guest huey4657 Posted August 23, 2006 Share Posted August 23, 2006 thanks for your help guys. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.