Soliciting best approach for storing passwords . . .

Folk,
I need some input on how best to store username/password combinations online.  
My preference would be to store a one-way encrypted value, but that is not 
possible in this situation.  The constraint is that we have to make provision 
for giving the user's password back to the user after a "forgot my password" 
link has been clicked.

(Oh, a secondary input would be on the best way to accomplish the password 
return to the user <grin />.)

Normally, I store passwords as a one-way hash, then encrypt input to see if it 
matches, but I can't do that this time:  I have to store a clear text or 
decryptable value.  I've seen several approaches to this, but don't see any 
clear 'best practice'.  Right now I'm leaning toward a multiple table design, 
but I have no real idea if this is a better model than a single table design.  
I'd really appreciate input from some of you who have wrestled with this 
problem before.

If it matters, the development box is Win2K/IIS5, PHP 4.0.5, MySQL 3.23.32, and 
the implementation box is *nix/Apache 1.3.22, PHP 4.1.1, MySQL 3.23.47.

I'd appreciate any suggestions for a best resolution.  Thanks.



Make a good day . . .
 . . . barn
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  If you're not confused, you're not paying attention
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <mysql-thread113423@xxxxxxxxxxxxxxx>
To unsubscribe, e-mail 
<mysql-unsubscribe-gcdmg-mysql=m.gmane.org@xxxxxxxxxxxxxxx>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php