I need your recommendations. I am creating an application which requires users to have a username and password fields. What is need advice is with the password field. Should it be encrypted -password() or should I leave it as a text field?
What I would like to be able to do is e-mail the user's password to them if the need arises. But if I encrypt it, can it be unencrypted to be sent to the user in an emergency? So what should I do?
Please think about security and encode the user's passwords.
You can always mail them a randomly generated password should they lose theirs, or mail them a link to come in and assign themselves a new password (to keep people from just changing passwords for your users by filling in a form...).
If you store a users plain text password, you put them at risk when your passwords are discovered.
If you are on a shared server with PHP and mySQL, more than likely your database is not secure. Your web space is not secure, and you owe it to your users to at least protect their password - which they probably re-use on many systems on the Internet...
Yes, the password() will work just fine, it is suggested that you encrypt passwords, 'cos if a cracker finds a security hole in MySQL, he would have all the user's passwords in plain text, and since most users uses the same passwords for everything, such as email accounts, or even paypal accounts, you are putting all your users at risk by storing them in plain text.
Of course, the disadvantage of generating a new passwords for users is that anyone could put in someone elses username and generate them a new password.
So the best method I know of, is email them a link, where they can choose their own password, if they don't want to change it, just delete the email.