1. Make up a random new password, PASSWORD() it, save it to the db while also setting the password expiration date to 20 minutes in the future, and setting a 'must change password flag', and mail the un-encrypted password along with a link to change it. 2. Each time the visitor signons, check the password expiration date, if it's in the past then go to step 1. Otherwise, check the PASSWORD(visitors input keyword) for validity. If not valid, ask for password again. If valid, and must change password flag is set on the visitors record, force the password change before allowing them any further. If you want to get really elaborate, you could store an array of the last x passwords the visitor used, and not allow them to choose one of those. > -----Original Message----- > From: Sam Folk-Williams [mailto:sfolkwilliams@mn.rr.com] > Sent: Monday, July 28, 2003 4:05 PM > To: php-db@lists.php.net > Subject: un-encrypting passwords > > > Hi, > > I've got a PHP/MySQL site that uses a simple user table to > check for a valid > username/password match when logging someone in. I encrypted > the passwords > using mysql's PASSWORD() function. I now realize that was > probably not the > best choice, because I don't think it's possible to > un-encrypt them. I want > to add a feature that allows users to request to have their > password emailed > to them. > > Can anyone recommend a better method for encypting passwords > and how to > unencrypt? (is there a function in PHP for this? Or a different MySQL > function?) > > Thanks, > > Sam > > -- > Sam Folk-Williams > Service Team Leader/Webmaster > Rise, Inc -- Creative Partnerships South > (952) 884 8330 (V); (952) 884 8371 (F) > www.rise.org > > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
