Deserteye Posted September 17, 2006 Share Posted September 17, 2006 I am trying to make a lost password script but when I try to retrieve the password from the database and send it in an email to the user, it stays encrypted. I am using md5 encryption.. I know that is one way encryption. Any suggesstions? Quote Link to comment Share on other sites More sharing options...
Wintergreen Posted September 17, 2006 Share Posted September 17, 2006 You'll have to send them an e-mail with an new temporary password as well as change their password in the DB to the new one. Then have them log in and change it Quote Link to comment Share on other sites More sharing options...
redarrow Posted September 17, 2006 Share Posted September 17, 2006 provide a link near the login username and password when the user press the link ask them for there email address and new password and a retype password from a form and if the eamil matches then update the password with the new one. Quote Link to comment Share on other sites More sharing options...
Wintergreen Posted September 17, 2006 Share Posted September 17, 2006 The problem with that is that anyone can change anyone else's password just by knowing their e-mail address Quote Link to comment Share on other sites More sharing options...
redarrow Posted September 17, 2006 Share Posted September 17, 2006 well the only safe way i can see you doing it is when a user registers then ask them for a special name and when users lose there passwords then use the specal name to activate there new password then. Quote Link to comment Share on other sites More sharing options...
.josh Posted September 17, 2006 Share Posted September 17, 2006 you cannot decrypt an md5 password. all you can do is make a new one and send them the new password. as far as anybody being able to reset your password simply by knowing your email: here is what I do, and it may or may not be the best method, as i am no expert:I have a field called temp_password. it is set to null by default. when you request a password reset, the script generates a temporary password and sends it to the email address, along with a "if you did not request this email, please report it or click on this linkie here", or whatever. it's up to you what you want to do as far as "I didn't request this password change!" situations. I try to log as many things as possible when a user requests a password change, such as the ip address, etc.. but those things only go so far as reliability.the login script is then altered to not only check the normal password, but also see if temp_password is null or not, or if the user is trying to login with the temp_password. if they login with the temp_password, prompt the user to change their password, and reset temp_password to null.if they login with their old password, simply reset the temp_password to null. you could also echo a message to the user warning them that (because the temp_password was not null), someone may have tried to reset their password, and give them the option to report it or something, in case they a) no longer have access to their own email, but obviously know their password, or b) haven't checked their email yet, or don't check it very often, so they wouldn't know about it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.