I am using the SHA1 algorithm to encrypt user passwords. Fair enough. Many user sign in forms also have a provision to
send you your password should you forget it. Is this possible
with sha1. Once encrypted, I don't see any we to retrieve it.
Brian
I am having to develop a similar system. What I intend to do if a user forgets the password is generate a new random one.
However, they will have to identify themselves first by supplying:
1) Their username
2) Their main email address - the new password will be sent to this address
3) The contents of a
captcha image.
The first two will be validated against the database and if there is no match the password is not reset.
For the purposes of my system this is fine, it may also be worth adding the security questions like mothers maiden name, name of junior school etc to this process.
I have deliberatly not developed a mechanism to decrypt the passwords as I don't want to to be able to know all the passwords. So if a user forgets their password then they get a new one which when used they can reset or keep.
This is my solution to the problem, without too much discussion on hashing and encryption.
Cheers
nathj