user's password retrieval

[bugzy]

I have my user's password saved in the database using sha1 so base on my research, it's hard to decode it and there's no way I can show to my users the actual password they have saved once they use my feature "forget password" which will be sent via e-mail.

 

I wonder if is it safe to put the user's ID and sha1 password in the url? The link will be sent via e-mail as what I have said and once they click it, it will be verified via $_GET and then post a new form which will give them an option to put a new password.. I wonder if this will work or there's a security issue on this?

 

Or do you guys have any approach on this?

 

Thanks

[trq]

Reset the users password to something you know and send them that.

[bugzy]

Reset the users password to something you know and send them that.

 

thorpe that was  really a great and simple solution though I wonder where will I get that password? as much as possible I want everything to be automated in php. Will I put a default password value for resetting a password or there will be a list of password? Because if there was a list or a default value? Do you think it is very vulnerable for some kind of sabotaging my website?

[floridaflatlander]

Once the pw is hashed you can say it's impossible for joe average, AKA people like you and me, to get the pawword out. I know sites that can email you your password when you foregt it, not email you a new password.

 

I would guess they have another table with the password in it, I would also guess they don't put it in the members table.

[floridaflatlander]

Reset the users password to something you know and send them that.

 

thorpe that was  really a great and simple solution though I wonder where will I get that password?

 

Sorry, didn't read your 2nd post well

 

To make a new pw I use ...  $pw = substr( md5(uniqid(rand(), true)), 3, 10);

[bugzy]

Thanks to thorpe for giving me idea and thanks to floridaflatlander for giving an idea on how to generate a new password..

 

Thanks again guys!