There are a lot of similar questions, but I have not seen it:
I am using user users E-mail for the name - since they are unique yet memorable (not shown). And send_a_new_random_password
for "recovery", but it allows a disgruntled former to change the user password frequently: (
to get it around (here I have 2 "correct" passwords in the user's records - passwords and new passwords (both have been handled with PHPass)
On the next successful login (check both), I use the password Save a password for, and dump it NewPASSWORD - This is the standard practice I
To activate the new password only if the user clicks on a link in the password change email, your system looks like it
If you do not want to send a password in the email (this is encrypted without all You must use the reset link mechanism or use a temporary password user Will change in the next login but I think sending passwords in email most websites is at least about your safety.
Comments
Post a Comment