+ 2

How about passwords how do we make them unique??🤔

Disturbed about primary keys and it's uses

17th Feb 2018, 1:18 PM
EKE KALU UCHE
EKE KALU UCHE - avatar
7 Respostas
+ 1
You never want to send a user's password! Instead, you send a forgotten password link. The user then clicks on the link in their email, which takes them to a form on your website (new password form), where they can create a new password. There are some security issues relating to this. When they enter their email address, that they registered with, on the forgotten password form, don't tell them if they have correctly or incorrectly entered an email address that's in your system! Just say something like "If the email you enter is registered with us, we'll send you a link where you can change your password". I usually do a two-way encryption of their email address, and add that to the unique link. I'm busy now, but can explain more later.
31st Mar 2018, 9:24 AM
Emma
+ 2
You don't make the password field unique. Only the username (often the email address) needs to be unique. Note, you should be storing password hashes and not plaintext passwords.
31st Mar 2018, 3:21 AM
Emma
+ 2
can you assist me understand how to convert the hashes back to plaintext?
31st Mar 2018, 8:52 AM
EKE KALU UCHE
EKE KALU UCHE - avatar
+ 2
ok thanks boss
31st Mar 2018, 9:30 AM
EKE KALU UCHE
EKE KALU UCHE - avatar
+ 1
You don't convert them back. A password hash, is a one-way hash. Firstly, if this is a programming project as part of your education, then no problem, but if you're creating a real system, it's better to use existing login libraries (I.e. that are part of an existing framework). This is because an existing login library, will have been tested and coded by many people, with many many hours invested into finding bugs, but more importantly, security holes. You also need a library or framework that is actively updated, and maintained. You store the one-way password hashes in the database. Then when a user is logging in, you just one-way hash the password they enter, and compare that with the hash in the database. That way you never need to store their plaintext password. Good luck!
31st Mar 2018, 9:07 AM
Emma
+ 1
No problem. Wishing you success :)
31st Mar 2018, 9:31 AM
Emma
0
My purpose for asking is centered on this scenario: A user loses his password and requests for it to be sent to his secure email. How is that possible with a one way hash as you earlier mentioned.
31st Mar 2018, 9:18 AM
EKE KALU UCHE
EKE KALU UCHE - avatar