Forgotten password

Hello,

are there any tutorials/guides out there that explain how to handle this
subject?

I was thinking of having a member enter his username and email, after
which I then email him a new password.

Question from my side is if there is a php method to auto generate a
strong password.

Many thanks,
twomt

--
Nemesis War
Online browser based space combat game.
It's free, it's great, you'll love it.
Come join us at http://www.nemesiswar.net/

Re: Forgotten password

twomt said:
> Hello,
>
> are there any tutorials/guides out there that explain how to handle this
> subject?
>
Google popped up 1.3 Million for "php password reset", so that's a place
to start, at least.

> I was thinking of having a member enter his username and email, after
> which I then email him a new password.
>
I normally have them enter just the username, and then silently ship off
the new password to the email address on file.

> Question from my side is if there is a php method to auto generate a
> strong password.
>
http://www.php.net/uniqid

Works every single time.

All the best,
~A!

--
Anthony Levensalor
anthony@mypetprogrammer.com

Only two things are infinite, the universe and human stupidity,
and I'm not sure about the former. - Albert Einstein

Re: Forgotten password

"twomt" wrote in message
news:fl5ea5$d1u$1@aioe.org...
> Hello,
>
> are there any tutorials/guides out there that explain how to handle this
> subject?
>
> I was thinking of having a member enter his username and email, after
> which I then email him a new password.

To where would you email him the new password? What if I enter my email
address, do you email his new password to me?

--
Richard.

Re: Forgotten password

rf said:
> "twomt" wrote in message
> news:fl5ea5$d1u$1@aioe.org...
>> Hello,
>>
>> are there any tutorials/guides out there that explain how to handle this
>> subject?
>>
>> I was thinking of having a member enter his username and email, after
>> which I then email him a new password.
>
> To where would you email him the new password? What if I enter my email
> address, do you email his new password to me?
>
> --
> Richard.
>
>
No, that would be stupid. If someone has a password with me, as in an
account at one of my sites, I already have their email in a database. I
mail the new password to that address, and done is done.

~A!

--
Anthony Levensalor
anthony@mypetprogrammer.com

Only two things are infinite, the universe and human stupidity,
and I'm not sure about the former. - Albert Einstein

Re: Forgotten password

rf wrote:
> "twomt" wrote in message
> news:fl5ea5$d1u$1@aioe.org...
>> Hello,
>>
>> are there any tutorials/guides out there that explain how to handle this
>> subject?
>>
>> I was thinking of having a member enter his username and email, after
>> which I then email him a new password.
>
> To where would you email him the new password? What if I enter my email
> address, do you email his new password to me?
>
> --
> Richard.
>
>

The username and email have to match what is stored in the db,
if these match the new password would be mailed to that userid.

--
Nemesis War
Online browser based space combat game.
It's free, it's great, you'll love it.
Come join us at http://www.nemesiswar.net/

Re: Forgotten password

twomt wrote:
> rf wrote:
>> "twomt" wrote in message
>> news:fl5ea5$d1u$1@aioe.org...
>>> Hello,
>>>
>>> are there any tutorials/guides out there that explain how to handle
>>> this subject?
>>>
>>> I was thinking of having a member enter his username and email, after
>>> which I then email him a new password.
>>
>> To where would you email him the new password? What if I enter my
>> email address, do you email his new password to me?
>>
>> -- Richard.
>>
>
> The username and email have to match what is stored in the db,
> if these match the new password would be mailed to that userid.
>

What's the sense in making them input their email address? Just send it.

Otherwise you might have someone like me with 3 email addresses I use
regularly and a couple of others occasionally. I don't care which it
goes to - I check them all. But only I can get at any of them, anyway.
And I might not remember which one I used when I signed up.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Forgotten password

"Jerry Stuckle" wrote in message
news:kvednVyZON_Ki-ranZ2dnUVZ_r7inZ2d@comcast.com...
> twomt wrote:
>> rf wrote:
>>> "twomt" wrote in message
>>> news:fl5ea5$d1u$1@aioe.org...
>>>> Hello,
>>>>
>>>> are there any tutorials/guides out there that explain how to handle
>>>> this subject?
>>>>
>>>> I was thinking of having a member enter his username and email, after
>>>> which I then email him a new password.
>>>
>>> To where would you email him the new password? What if I enter my email
>>> address, do you email his new password to me?
>>>
>>> -- Richard.
>>>
>>
>> The username and email have to match what is stored in the db,
>> if these match the new password would be mailed to that userid.
>>
>
> What's the sense in making them input their email address? Just send it.
>
> Otherwise you might have someone like me with 3 email addresses I use
> regularly and a couple of others occasionally. I don't care which it goes
> to - I check them all. But only I can get at any of them, anyway. And I
> might not remember which one I used when I signed up.

In many of the places where I have a user-id (ISP, hosting etc) the email
address *is* the user-id. The real question then becomes: why do I need a
seperate "member-id" when one of my email addresses identifies me anyway?

--
Richard.

Re: Forgotten password

rf wrote:
> "Jerry Stuckle" wrote in message
> news:kvednVyZON_Ki-ranZ2dnUVZ_r7inZ2d@comcast.com...
>> twomt wrote:
>>> rf wrote:
>>>> "twomt" wrote in message
>>>> news:fl5ea5$d1u$1@aioe.org...
>>>>> Hello,
>>>>>
>>>>> are there any tutorials/guides out there that explain how to handle
>>>>> this subject?
>>>>>
>>>>> I was thinking of having a member enter his username and email, after
>>>>> which I then email him a new password.
>>>> To where would you email him the new password? What if I enter my email
>>>> address, do you email his new password to me?
>>>>
>>>> -- Richard.
>>>>
>>> The username and email have to match what is stored in the db,
>>> if these match the new password would be mailed to that userid.
>>>
>> What's the sense in making them input their email address? Just send it.
>>
>> Otherwise you might have someone like me with 3 email addresses I use
>> regularly and a couple of others occasionally. I don't care which it goes
>> to - I check them all. But only I can get at any of them, anyway. And I
>> might not remember which one I used when I signed up.
>
> In many of the places where I have a user-id (ISP, hosting etc) the email
> address *is* the user-id. The real question then becomes: why do I need a
> seperate "member-id" when one of my email addresses identifies me anyway?
>

Maybe to allow your userid to be public yet keep your email private?

That's why I do it on my customers' sites.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Forgotten password

On 29 Dec, 13:50, Anthony Levensalor
wrote:
> rf said:
>
> > "twomt" wrote in message
> >news:fl5ea5$d1u$1@aioe.org...
> >> Hello,
>
> >> are there any tutorials/guides out there that explain how to handle this
> >> subject?
>
> >> I was thinking of having a member enter his username and email, after
> >> which I then email him a new password.
>
> > To where would you email him the new password? What if I enter my email
> > address, do you email his new password to me?
>
> > --
> > Richard.
>
> No, that would be stupid. If someone has a password with me, as in an
> account at one of my sites, I already have their email in a database. I
> mail the new password to that address, and done is done.
>
> ~A!
>
> --
> Anthony Levensalor
> anth...@mypetprogrammer.com
>
> Only two things are infinite, the universe and human stupidity,
> and I'm not sure about the former. - Albert Einstein

1) that's inflexible - you are expecting the user to know 2 out of
three facts
2) it provides a way for a third party to carry out a denial of
service attack against your users.

If you look at existing systems the more sensible ones send out a URL
with a single use visa in the the query part allowing the user to
access the site without presenting their login credentials.

C.

Re: Forgotten password

C. (http://symcbean.blogspot.com/) wrote:
> On 29 Dec, 13:50, Anthony Levensalor
> wrote:
>> rf said:
>>
>>> "twomt" wrote in message
>>> news:fl5ea5$d1u$1@aioe.org...
>>>> Hello,
>>>> are there any tutorials/guides out there that explain how to handle this
>>>> subject?
>>>> I was thinking of having a member enter his username and email, after
>>>> which I then email him a new password.
>>> To where would you email him the new password? What if I enter my email
>>> address, do you email his new password to me?
>>> --
>>> Richard.
>> No, that would be stupid. If someone has a password with me, as in an
>> account at one of my sites, I already have their email in a database. I
>> mail the new password to that address, and done is done.
>>
>> ~A!
>>
>> --
>> Anthony Levensalor
>> anth...@mypetprogrammer.com
>>
>> Only two things are infinite, the universe and human stupidity,
>> and I'm not sure about the former. - Albert Einstein
>
> 1) that's inflexible - you are expecting the user to know 2 out of
> three facts

Which is why I only require the user id.

> 2) it provides a way for a third party to carry out a denial of
> service attack against your users.
>

Not at all. At most the user will get one email per day. The system
won't send it more often than that.

> If you look at existing systems the more sensible ones send out a URL
> with a single use visa in the the query part allowing the user to
> access the site without presenting their login credentials.
>
> C.
>

True. But just sending the password once works, also. Not as secure,
but often times it's secure enough.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================