SitePoint Sponsor

User Tag List

Results 1 to 4 of 4

Thread: Password Fields

  1. #1
    SitePoint Member
    Join Date
    May 2001
    Location
    East Harlem, Spanish Harlem, El Barrio
    Posts
    13
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Password Fields

    Hi,
    I need your recommendations. I am creating an application which requires users to have a username and password fields. What is need advice is with the password field. Should it be encrypted -password() or should I leave it as a text field?

    What I would like to be able to do is e-mail the user's password to them if the need arises. But if I encrypt it, can it be unencrypted to be sent to the user in an emergency? So what should I do?

  2. #2
    SitePoint Evangelist thewitt's Avatar
    Join Date
    Apr 2001
    Posts
    468
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Please think about security and encode the user's passwords.

    You can always mail them a randomly generated password should they lose theirs, or mail them a link to come in and assign themselves a new password (to keep people from just changing passwords for your users by filling in a form...).

    If you store a users plain text password, you put them at risk when your passwords are discovered.

    If you are on a shared server with PHP and mySQL, more than likely your database is not secure. Your web space is not secure, and you owe it to your users to at least protect their password - which they probably re-use on many systems on the Internet...

    -t

  3. #3
    SitePoint Member
    Join Date
    May 2001
    Location
    East Harlem, Spanish Harlem, El Barrio
    Posts
    13
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thewitt,
    Thansk for your reply. I appreciate it.
    Anyone else?

  4. #4
    midnight coder
    Join Date
    Dec 2000
    Location
    The flat edge of the world
    Posts
    838
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, the password() will work just fine, it is suggested that you encrypt passwords, 'cos if a cracker finds a security hole in MySQL, he would have all the user's passwords in plain text, and since most users uses the same passwords for everything, such as email accounts, or even paypal accounts, you are putting all your users at risk by storing them in plain text.

    Of course, the disadvantage of generating a new passwords for users is that anyone could put in someone elses username and generate them a new password.

    So the best method I know of, is email them a link, where they can choose their own password, if they don't want to change it, just delete the email.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •