I wanna try my self as an experience.
Scenario:
I have a member join and member log-in wherein the pass word is encrypted in the database (MySQL)
Now let's say he forgot the password it too lazy to just open your email account for just getting the password recovery.
What I thought of is to only show the encrypted password since the admin level cannot see the username. I wanted to show the password the non-encrypted information on password which could be only accessed by customers.
Jump to PostYou aren't 100% clear on what you want to do however; I will say this, passwords are normally encrypted so that they aren't reversible. They are verified by encrypting what the member enters and comparing that with the encrypted version that is in the database. This makes them pretty safe …
Jump to PostEthical? The fact that the user has an email address linked to his username should present an easy way to allow a member to login aagain. Asking security questions IMO is a bit dangerous.
You aren't 100% clear on what you want to do however; I will say this, passwords are normally encrypted so that they aren't reversible. They are verified by encrypting what the member enters and comparing that with the encrypted version that is in the database. This makes them pretty safe and hard to abuse, even if someone does get access to them. The approach that you seem to be suggesting to cater to lazy people makes the passwords less safe. If you are going to have a login process, it makes sense to make it as secure as you can. Otherwise, what's the point?
Passwords are usually hashed. This isn't quite the same as encrypting. These hashes are intentionally one-way. You can improve security by using salts and/or multiple hashes.
Some hashes have been cracked (allegedly) and some are not considered very secure due to the existence of 'rainbow tables'. You may benefit from reading up on hashing.
If a user forgets his/her password, you could supply a new time-limited single use password in your email and/or supply an activation token (url) that's linked to the new password.
Lots of possibilities. Have a look at the underlying code of open source software like phpBB3 to see how they implement 'forgot password'.
Passwords are usually hashed. This isn't quite the same as encrypting. These hashes are intentionally one-way. You can improve security by using salts and/or multiple hashes.
Some hashes have been cracked (allegedly) and some are not considered very secure due to the existence of 'rainbow tables'. You may benefit from reading up on hashing.
If a user forgets his/her password, you could supply a new time-limited single use password in your email and/or supply an activation token (url) that's linked to the new password.
Lots of possibilities. Have a look at the underlying code of open source software like phpBB3 to see how they implement 'forgot password'.
well, as you have said. ACTIVATION TOKEN is somehow applicable. so you mean It's ethical to use ACTIVATION token? anyway in my Registration Form page there was credentials such as Secret Question and Secret answer,( Secret answer is encrypted by md5 algorithm ). Would that be ok for most of the people? since activation token on most websites pertaining email forgotten passwords are using activation token through secret answer and username as well.
You aren't 100% clear on what you want to do however; I will say this, passwords are normally encrypted so that they aren't reversible. They are verified by encrypting what the member enters and comparing that with the encrypted version that is in the database. This makes them pretty safe and hard to abuse, even if someone does get access to them. The approach that you seem to be suggesting to cater to lazy people makes the passwords less safe. If you are going to have a login process, it makes sense to make it as secure as you can. Otherwise, what's the point?
the point is recovering password not through opening email.
Ethical? The fact that the user has an email address linked to his username should present an easy way to allow a member to login aagain. Asking security questions IMO is a bit dangerous.
I agree with Ardav and Chrishea, also you never know who is trying to retrieve a password, and if I forget a password how should I remember a secret question and a related secret answer? If you don't want to deal with passwords, allow your users to log in with OpenID http://en.wikipedia.org/wiki/OpenID
bye
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.