Home/ Questions/Q 8820399
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T05:35:55+00:00

I’ve been looking into storing user passwords in mysql and the ubiquitous reply is

  • 0

I’ve been looking into storing user passwords in mysql and the ubiquitous reply is to store it using an encryption algorithm like MD5 or SHA1. But what if user x forgets her password and wants it to be sent to her? What then? I can’t send her the md5 hash! How is this issue dealt with in the real world. Are there two databases? One to compare hashes and another for forgotten passwords? But what’s the difference, both would be read-only by the sql user connecting to it at that time. So how do you do it? Thanks!!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It’s pretty standard security practice to never send users their password. Instead, you offer a password reset utility that is tied to their ability to access their e-mail account, and/or ability to answer question about their profile (like a security question or what postal code they live in).

    Functionality Outline:

    1. User clicks “forgot password link”
    2. User enters security challenge information (e-mail address, security question if desired)
    3. System sends password reset e-mail with auto-generated link (with generated GUID in a querystring for instance)
    4. System creates a password reset record containing the reset GUID, what user it is for, and when the key will time out.
    5. User retrieves e-mail, clicks on link.
    6. System matches GUID, deletes password reset record, sends user to password reset page.
    • 0