allow user to update their own password

Forum Moderators: coopster

Message Too Old, No Replies

allow user to update their own password

generic

8:18 pm on Apr 6, 2009 (gmt 0)

Hi all, I'm trying to figure out the best way to offer a user the option to change an existing password from a member area. Right now I have the password encrypted via md5 in the database, obviously making it impossible to display back to the user in the control panel. Any thoughts on what would be the best way (security-wise) to go about this without just leaving the password unencrypted?

I'd like to have an input box that shows the actual password and allows the user to update by simply changing the textbox, if possible.

Thanks in advance!

stajer

8:40 pm on Apr 6, 2009 (gmt 0)

As part of your security policies, you should never display an unencrypted password - even to an authenticated user.

The standard way to do this is to give the user three type="password" fields to complete:

1: Enter your current password
2: Enter your new requested password
3: Re-enter your new requested password

The first field asks the user to enter their current password which you check against the database to re-authenticate the user. This ensures somone hasn't just stumbled upon an unlogged out session or spoofed your cookies.

The next fields ask the user to enter their new password (and retype it to confirm).

generic

8:46 pm on Apr 6, 2009 (gmt 0)

ahh yes that makes sense. ok, I'll give that a whirl, thanks for the advice Stajer :)