Yeah I read that after I had posted this -----Original Message----- From: John Holmes [mailto:holmes072000@xxxxxxxxxxx] Sent: Sunday, October 03, 2004 7:04 AM To: Dylan Barber Cc: php-db@xxxxxxxxxxxxx Subject: Re: Passwords in MySQL for a PHP site Dylan Barber wrote: > I am building a security script and am wondering what should I do to enable > a user to recover his/her password if they forget it. I currently use > PASSWORD() when inserting the password into the database so I don't know how > to send them a unhashed string. > > Can someone direct me to an example or give me a few ideas! Quote from MySQL manual: "Note: The PASSWORD() function is used by the authentication system in MySQL Server, you should not use it in your own applications. For that purpose, use MD5() or SHA1() instead. Also see RFC 2195 for more information about handling passwords and authentication securely in your application." Your application should reset the password to some random value for the user rather than giving them their original back and force them to change it the next time they log on. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals - www.phparch.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
