03-20-2007, 03:19 AM
if i sha1()'s my passwords before entering into database...
how can i send passwords by email if i cant de-sha1() them?
03-20-2007, 03:54 AM
You send a new random password, or get them to answer a secret question or 2. For complete security, never send a password, the latter is the best way. If it's a 'normal' non-personal system - ie no bank details involved, then send a new password via email
03-20-2007, 03:58 AM
your sig =
Please do not add me to MSN in the hopes of me doing projects/code for you for free. If you have coding problems, use the forums. Thanks <<< refering to me?
You send a new random password, or get them to answer a secret question or 2. For complete security, never send a password, the latter is the best way. If it's a 'normal' non-personal system - ie no bank details involved, then send a new password via emailwhats the difference if they forgot there email? if its someone else asking for the new password it wont make a difference if they can read the email? but i guess the difference is easiness
so you make a random password
the same way you make a captcha string then modify the database if successfull you email them the random password?
03-20-2007, 11:56 AM
Referring to everyone.
Reasons why you shouldn't send passwords via email is that email isn't that secure. There are ways for emails to be read while they're being sent from a server, but I am unsure how it's done. It's why you'll never get an email with your password sent to you by your bank.
You make a random password, if you're doing it by email then send the unhashed version to them, store the hashed version in the db. Once they login with that password, take them to a change password screen so if they do keep the email with the password you sent, it'll no longer work as they've got a new one
03-20-2007, 12:34 PM
E-mail can be sniffed in many alternative ways. It passes through corporate firewalls, which may monitor the traffic. It often gets logged and saved for extended periods of time. It may get accidentally misdirected, and end up in somebody else's mailbox. The best way to keep such e-mail secret is to encrypt it. GnUPG is an example.
03-20-2007, 11:20 PM
what is GnUGP @ timgolding?
03-20-2007, 11:26 PM
http://en.wikipedia.org/wiki/GNU_Privacy_Guard can describe it better than me.