Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    Regular Coder vw98034's Avatar
    Join Date
    Feb 2004
    Posts
    196
    Thanks
    3
    Thanked 0 Times in 0 Posts

    Requested Information for username and password retrieval/reset

    I am working on a web site which requests some degree of security. A pair of username and password is requested for authentication. I need to provide some methods in case a user can't remember one or both login information. A user can retrieve his/her username by providing his/her email address in his/her account. That is the system will send you username by email if you can provide your email address. I am wondering how to let a user reset the password. Is a username enough or a pair of username + email address needed for a good balance between security and cconvenience?
    A fresh approach of web site directory - open source, useful, dynamic: bookmark, web site directory, and reminder

  • #2
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    What I do on some sites is when a user wants to reset their password they must enter their username or email address. Keeping track of the original email address used to create the account might be a good idea this way any methods of resetting the password are sent only to the email address of the person who created the account in the first place. The user's account could have been hacked at which point the hacker may have changed their preferred email address or something. I don't recommend actually sending them their password in an email. Maybe a link that has a unique code that was generated for them and stored in a db somewhere. Once clicking the link they must again provide their username or email address at which point they should be allowed to reset their password.
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #3
    Regular Coder vw98034's Avatar
    Join Date
    Feb 2004
    Posts
    196
    Thanks
    3
    Thanked 0 Times in 0 Posts
    Thanks for your inputs, Aerospace Engineer.

    Because both username and email address are public accessible information. It is safer to request the both for password reset. Since a password is hashed and salted, it is not retrievable. It shall not be sent to anyone by email.
    A fresh approach of web site directory - open source, useful, dynamic: bookmark, web site directory, and reminder


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •