Hash() and the forgotten password 1

[jsegura]

I'm storing user's passwords as hash(salt & password) in my db. The problem is, what if a user forgets his password? Ideally I want to send the user his password via email but I not sure if this is possible. Are their any options?

 

[webmigit]

There is no way to unhash..

The best thing you can do is reset the password.. here's a simple reset script.

<cfset samplewords = "my,red,giant,big,dog,cat,banana,elephant,kangaroo,australia">
<cfset newword = listgetat(samplewords,randrange(1,listlen(samplewords))) & listgetat(samplewords,randrange(1,listlen(samplewords)))>

<cfquery...>
  update users
     set password='#newword#'
   where username='#username#'
</cfquery>

<cfmail to="users_email_address"...subject="Your new password!">Your new password is #newword#</cfmail>

You'll need to tweak the cfquery tag slightly and the cfmail tag heavily.

ALFII.com

http://www.alfii.com

---------------------
If this post answered or helped to answer your question, please reply with such so that forum members with a similar question will know to use this advice.

 

[imstillatwork]

I like to use a randomly generated number, usually like 7 or more digits, and email them that, and storing it in the database as a confirmationcode, then the user clicks the email link with the confirmationcode and email address in the url, their profile is looked up, and they are promted to change their password.

the email address / confirmation code combo will never be the same, and if there is any tampering, it simply will not work, because there will be no database matches. automated, and pretty safe.

 

[imstillatwork]

you can always store password reminders to show the user also, but I dont like that, too easy to enter someone elses email address and get password hints.