RE: Soliciting best approach for storing passwords . . .

Barn.

I asked the same question couple of weeks ago and all the answers I got
pointed to one way encryption. Actually, I had the same need that you,
but understood that it was better to reset the password when a "Forgot
password" was made, send it to the user and ask them to change the
password at the next login.

I suppose you have the same problem that I had... few users who would
get angry if such thing is asked to do. But then I realize that if I
used a very common "words" list to generate random passwords, they might
even learn that password without changing it.

After all the responses I've get regarding this issue, I never got the
answer to how do a two way encrypting so, if this doesn't help you...

> -----Original Message-----
> From: databarn [mailto:databarn@xxxxxxxxxxx]
> Sent: Sunday, June 30, 2002 10:36 AM
> To: MySQL
> Subject: Soliciting best approach for storing passwords . . .
> 
> Folk,
> I need some input on how best to store username/password combinations
> online.  My preference would be to store a one-way encrypted value,
but
> that is not possible in this situation.  The constraint is that we
have to
> make provision for giving the user's password back to the user after a
> "forgot my password" link has been clicked.
> 
> (Oh, a secondary input would be on the best way to accomplish the
password
> return to the user <grin />.)
> 
> Normally, I store passwords as a one-way hash, then encrypt input to
see
> if it matches, but I can't do that this time:  I have to store a clear
> text or decryptable value.  I've seen several approaches to this, but
> don't see any clear 'best practice'.  Right now I'm leaning toward a
> multiple table design, but I have no real idea if this is a better
model
> than a single table design.  I'd really appreciate input from some of
you
> who have wrestled with this problem before.
> 
> If it matters, the development box is Win2K/IIS5, PHP 4.0.5, MySQL
> 3.23.32, and the implementation box is *nix/Apache 1.3.22, PHP 4.1.1,
> MySQL 3.23.47.
> 
> I'd appreciate any suggestions for a best resolution.  Thanks.
> 
> 
> 
> Make a good day . . .
>  . . . barn
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>   If you're not confused, you're not paying attention
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> 
> 
> ---------------------------------------------------------------------
> Before posting, please check:
>    http://www.mysql.com/manual.php   (the manual)
>    http://lists.mysql.com/           (the list archive)
> 
> To request this thread, e-mail <mysql-thread113423@xxxxxxxxxxxxxxx>
> To unsubscribe, e-mail <mysql-unsubscribe-
> icaam=icaam.com.ar@xxxxxxxxxxxxxxx>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php


---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <mysql-thread113430@xxxxxxxxxxxxxxx>
To unsubscribe, e-mail 
<mysql-unsubscribe-gcdmg-mysql=m.gmane.org@xxxxxxxxxxxxxxx>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php