mike1313 Posted December 29, 2007 Share Posted December 29, 2007 So I want to encrypt user passwords on registration but I want to be able to decrypt the same password so if the user loses their password that can run password recovery what is a good function on this or should I create a custom function, since md5 and shai1 are out of the picture here since they are 1 way encryption. Quote Link to comment Share on other sites More sharing options...
PHP_PhREEEk Posted December 29, 2007 Share Posted December 29, 2007 A better solution would be that, if a user loses their password, have a script make a new one, md5 it and store it, then email the user the new password. They should have the ability to change it to whatever once they login with the system supplied one. PhREEEk Quote Link to comment Share on other sites More sharing options...
PHP_PhREEEk Posted December 29, 2007 Share Posted December 29, 2007 An after-thought... you want to ensure against malicious password resets, so the process should be: 1. User requests a password reset 2. System emails the account on record with an auth code for the password reset. 3. User retrieves email, and responds to the auth code challenge. 4. System generates a new password, and stores it md5'd. 5. New email sent to account on record with the new password. 6. User logs in with the temporary password and changes password to whatever they want from their profile page. PhREEEk Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.