Secure login

[web guru]

I have written a login script and I think I have made it as secure as possible - check session id, user ip, encrypted passwords along with a few other methods. But I have used MD5 to encrypt my passwords. This is a one way encryption method, thus even the sys admin doesent know what your password is. But what if a user forgets hi/her password. How could I go about finding it out. I was thinking about storing the password somewhere else, but then what would be the point in encrypting it in the first place? Ay one got any ideas how to go about this or even any other ideas of encrypting passwords??

 

[adam_uk]

secret question

ur get the user to enter there user name and it sends an email with the pw in it to the adress in the user profile

 

[deadserious]

I think you would probably want to have something like a forgot password feature and have it generate a random password and send it to the email address you have on file and of course it would need to update your system so that randomly generated password was now their password until they login and change it.

That is probably quite a bit more coding, but I think that would be about your best option if you're using one way encryption like MD5. Most, if not all of the software that I've used, which uses MD5 for passwords seems to have a feature that works this way.

Another option would be to use RC4 if you wanted a way to encrypt and decrypt passwords.

 

[web guru]

Thanks dead thats a great idea!!

 

[$D$2]

Can I get a copy of this code, I would like to encrypt it into my own website!

Thanks! :D

P.S. Your script sounds great!

 

[adam_uk]

Originally posted by $D$2
Can I get a copy of this code, I would like to encrypt it into my own website!

Thanks! :D

P.S. Your script sounds great!

why dont u make it urself

 

[Corey Bryant]

Check out: http://www.outfront.net/spooky/login.htm for a free version of a similar script.