Menu
How do I go about implementing a secure password reset function without sending the user an e-mail? There is another secure bit of information that I store and only the user should know, but it seems insecure to just let the user update a password just because they know a 9 digit number.
Note that user data is stored in a simple SQL table due to limitations on real database users on the server I'm working on.
Any input would be appreciated.
Update:
After making an attempt at OpenID and remembering that this server doesn't allow PHP (and thus, cURL) to make any external requests, I tried sending mail with PHP again. Apparently all of my previous terrible experiences with mail() on this server have gone away.
Thanks for all of your input, I may look into OpenID again in the future.
797
Head to the Gmail sign-in page and click the “Forgot Password” link. Enter the last password you remember. If you can't remember one, click “Try a different question.” Enter the secondary email address you used when you set up your Gmail account to get a password reset email.
Punt on the password issue. Switch to OpenID. You don't have to worry about password reset, and the user only needs a new password if they want one.
it's a win-win.
138
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
