We have three choices and only three choices when using 2.0 Password
Recovery:
// Choice...
1.) Store and send the password as clear text
2.) Hash the password when stored in the database
3.) Encrypt the password when stored in the database
// Results...
1.) Should be out of the question for obvious reasons
2.) There is no way to send the current password. A new password will be
generated and sent using the MailDefinition configuration settings.
3.) The password must be decrypted and can be sent as clear text or mailed
as an encrypted querystring value in a link that sends the querystring back
to the page where it can be decrypted on the server. (this latter approach
is one I am considering at the moment)
I'm working my way through all of this myself right now. Its time consuming
to do all the study but it must be done to understand what is going on and
which decisions to make,when and why.
It is not easy at all to put together an elegant login, change password,
password recovery strategy that remains robust. There are several "gotchas"
that have to be discovered and then resolved using some type of compromise
that still requires us to write code to refine what the controls do not
support OOTB.
<%= Clinton Gallagher
NET csgallagher AT metromilwaukee.com
URL
http://www.metromilwaukee.com/clintongallagher/
"Stuart Ferguson" <st**************@btinternet.com> wrote in message
news:uH**************@TK2MSFTNGP05.phx.gbl...
I am currently implementing a change password screen in my site and wish
to send an email back to the user saying the password has been changed
but not send the new password in the mail, i was looking to implement a
form of confirmation and was wondering if anyone had any examples of how
to perform this.
Many thanks in advance
Stuart
*** Sent via Developersdex http://www.developersdex.com ***
