Re: If the user forgets their password...

From: Sebastian Lauwers (dacrashanddie_at_nospam.9online.fr)
Date: 08/19/04 

Date: Thu, 19 Aug 2004 01:09:43 +0200

NathanBrisk wrote:

> If the user forgets their password, what is the best way to handle it?
> Let them answer some "secret" question...email them their
> password?
>
> Suggestions wanted.

I'm on a project and i did the registration/login system part.

What i've done for password recovery is:

If the user gets on the password recovery he needs to provide the
username he used to login with, and the email adress that he provided
during the registration. If those two match, i generate a new password
that i send to him. The user needs to click on a link (that i send with
the email) for the password change to take effect. This way, if someone
wants to annoy another user by changing the password, if the user don't
click the link, his password isn't changed, so he isn't annoyed by other
people wanting to piss 'em off (well ok they'll get a mail, but that's it).

Of course, a PHP generated password isn't really great to remember, so
i've added a way for the users to change their password.

HTH,
S. 

-- 
The most likely way for the world to be destroyed,
most experts agree, is by accident.
That's where we come in; we're computer professionals.
We cause accidents.
                    --Nathaniel Borenstein