NYCPHP Meetup

[Dan Cech]

Allen Shaw wrote:
> Hi All,
> 
> I wonder if anyone here has experience implementing a lost-password-recovery
> function on a login-based website.  We're soon to be opening up our
> membership database to allow each individual to edit his or her own records.
> Naturally we have a login system in place, which our core staff is already
> using to access the database, but as of now any lost passwords would be
> replaced manually by the administrator.  If we open it to hundreds of people
> that will be too much to handle, so I need to develop a way for people to do
> it themselves (probably using an email address on file).  I'm sure I can
> create something that works, but I'm not confident yet to create something
> that both works and is fairly secure.
> 
> I googled around but couldn't find fruitful keywords.  Anybody have some
> recommendations on how best to handle this feature, or some place on the Web
> to look around?

A fairly standard approach is to simply generate a new random password 
and send it to the email address you have on file.

If you have additional data about your clients on file you may be able 
to implement a system which used that data to authenticate the client, 
either then allowing them to change their password online or request a 
new password be sent to their stored email address.

Dan