Patrick3002 Posted March 1, 2007 Share Posted March 1, 2007 Hi, i have a quick question about user databases... Say john doe and i have different e-mail addresses but we have the same passwords in phpfreaks database, wouldn't if i typed in john does username and my password (which is the same as his) wouldn't i be able to login? Only thing is, i didn't think everyone had to have a unique password, just a unique username... Cause i have a login script but i just realized that in my db, you can't have the same email but you can have the same password. So if i typed in someone elses email and tried my password with it, i would login. I want to stop this but i dont want to have unique passwords. Can someone clear this up for me? Thanks! Quote Link to comment Share on other sites More sharing options...
btherl Posted March 1, 2007 Share Posted March 1, 2007 Yes, if you type in someone else's username and password, you will be able to login. But the odds of having the same password are very small, unless both people happen to like the same tv show (trustno1) or the same band (blink182) Quote Link to comment Share on other sites More sharing options...
Patrick3002 Posted March 1, 2007 Author Share Posted March 1, 2007 Yeah... true true. But is there some kind of script i could create to stop this without sing unique passwords? I also use an id field in my db its auto_increment too so thats unique to each user, im sure i could come up with something using that, correct? Quote Link to comment Share on other sites More sharing options...
anatak Posted March 1, 2007 Share Posted March 1, 2007 Can you imagine what a nightmare unique passwords would be ? hello your password xyz12481632 is already in use please use something more difficult to remember so that we have to resend (or even worse) regenerate a new password (wich have to be unique) everytime you want to login. the quick fix. post it your password to your screen (and that beats the point of a password doesn't it) Come to Japan if you want to know some ridiculous rules. If you open a bank account the employee asks you your pin code (4digit) and then writes it down on a paper and you can not change it. That kinda makes a pin number/ password obsolete since it is now not secret (as in known by only 1 person) anymore. anatak Quote Link to comment Share on other sites More sharing options...
Patrick3002 Posted March 1, 2007 Author Share Posted March 1, 2007 Good theory, lol. Quote Link to comment Share on other sites More sharing options...
btherl Posted March 1, 2007 Share Posted March 1, 2007 If you use an id as well, it's the same problem really.. someone who types someone else's username, id and password will be able to login. You might be able to add security by restricting which ip addresses can login as which users. That's not practical for large sites though, as plenty of users either won't know their ip address or will need to login from different locations. Or both Really, a password is enough security unless you're protecting something very sensitive. Banks here use devices which generate one-time time-sensitive codes which you have to enter along with your id and password to access online banking. That solution might be out of your budget Quote Link to comment Share on other sites More sharing options...
itsmeArry Posted March 1, 2007 Share Posted March 1, 2007 the best thing to do is match the emaild and password combination.... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.