[PHP-DB] Storing passwords in a database From: Lisi (lists <email protected>)
Date: 06/30/02

I know there's been discussion on the list before on this topic, but I'm a
little fuzzy on the details.

I want to create a site where users can create an account online, and then
log in to search job postings. I want to store their user info and
password in a database. I need a way for them to retrieve their passwords
if forgotten. I know there are two basic approaches:

1) Storing the passwords using some form of encryption, which can be
reversed and the password can be emailed to the user.

This seems to me to be preferable, since they don't have to change their
password whenever they forget it. However, are there security issues with
this? I know many people recommend the second method:

2) Generating a new random password which the user can then use to log in
and change to whatever they want.

What are the advantages of this, since someone would need access to the
person's email address with either method 1 or 2 in order to steal the
password?

What functions should I be looking at for encryption, for either method?
What are advantages and disadvantages of each method?

The site will not take credit card information, all accounts are free. So
the security issues are much less, but of course you do not want a site
where people's accounts are stolen even if there is not money involved.

I hope this is clear,

-Lisi 

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php