Jump to content


Photo

lost password


  • Please log in to reply
5 replies to this topic

#1 Deserteye

Deserteye
  • Members
  • PipPipPip
  • Advanced Member
  • 31 posts
  • LocationNew Jersey

Posted 17 September 2006 - 06:10 PM

I am trying to make a lost password script but when I try to retrieve the password from the database and send it in an email to the user, it stays encrypted. I am using md5 encryption.. I know that is one way encryption. Any suggesstions?

What I know:
XHTML: 10/10
CSS: 8/10
JavaScript: 5/10
VBScript: 7/10 PHP: 8/10 MySQL: 9/10

#2 Wintergreen

Wintergreen
  • Members
  • PipPipPip
  • Advanced Member
  • 107 posts

Posted 17 September 2006 - 06:11 PM

You'll have to send them an e-mail with an new temporary password as well as change their password in the DB to the new one. Then have them log in and change it

#3 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 17 September 2006 - 06:31 PM

provide a link near the login username and password when the user press the link ask them for there email address and new password and a retype password from a form and if the eamil matches then update the password with the new one.
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#4 Wintergreen

Wintergreen
  • Members
  • PipPipPip
  • Advanced Member
  • 107 posts

Posted 17 September 2006 - 06:33 PM

The problem with that is that anyone can change anyone else's password just by knowing their e-mail address

#5 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 17 September 2006 - 06:37 PM

well the only safe way i can see you doing it is when a user registers then  ask them for a special name and when users lose there passwords then use the specal name to activate there new password then.
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#6 .josh

.josh
  • Staff Alumni
  • .josh
  • 14,871 posts

Posted 17 September 2006 - 07:08 PM

you cannot decrypt an md5 password.  all you can do is make a new one and send them the new password. 

as far as anybody being able to reset your password simply by knowing your email: here is what I do, and it may or may not be the best method, as i am no expert:

I have a field called temp_password. it is set to null by default. 

when you request a password reset, the script generates a temporary password and sends it to the email address, along with a "if you did not request this email, please report it or click on this linkie here", or whatever.  it's up to you what you want to do as far as "I didn't request this password change!" situations.  I try to log as many things as possible when a user requests a password change, such as the ip address, etc.. but those things only go so far as reliability.

the login script is then altered to not only check the normal password, but also see if temp_password is null or not, or if the user is trying to login with the temp_password.

if they login with the temp_password, prompt the user to change their password, and reset temp_password to null.

if they login with their old password, simply reset the temp_password to null.  you could also echo a message to the user warning them that (because the temp_password was not null), someone may have tried to reset their password, and give them the option to report it or something, in case they a) no longer have access to their own email, but obviously know their password, or b) haven't checked their email yet, or don't check it very often, so they wouldn't know about it.
Did I help you? Feeling generous? Buy me lunch! 
Please, take the time and do some research and find out how much it would have cost you to get your help from a decent paid-for source. A "roll-of-the-dice" freelancer will charge you $5-$15/hr. A decent entry level freelancer will charge you around $15-30/hr. A professional will charge you anywhere from $50-$100/hr. An agency will charge anywhere from $100-$250/hr. Think about all this when soliciting for help here. Think about how much money you are making from the work you are asking for help on. No, we do not expect you to pay for the help given here, but donating a few bucks is a fraction of the cost of what you would have paid, shows your appreciation, helps motivate people to keep offering help without the pricetag, and helps make this a higher quality free-help community :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users