Page 1 of 1
Forgot Your Password?
Posted: Fri Jun 08, 2007 5:58 pm
by JellyFish
I'm working on a forgotten password page. But I can't decide of which I should have:
Two fields, one being the username and the other being the email to which I match with the email in the database.
One field, just the username which is used to find the users info in the db and sends password to that email.
Which should I use? There pretty much the same but it just seems like I should make it right.
And if you have any other solutions to a forgotten password page then please suggest.
Thanks for reading. I appreciate your comments on this.
Posted: Fri Jun 08, 2007 6:39 pm
by superdezign
Just use an email. Oftentimes, users have more than one username they use from site to site (depending on if someone's already registered with their "regular"), so they may forget their username as well.
I think the real issue is the security of where you save the passwords... But, you know.. Don't ask, don't tell.

Posted: Fri Jun 08, 2007 7:26 pm
by nickvd
Do both...
I may forget the username I used on your site, or I may forget what email address I used to sign up...
Posted: Fri Jun 08, 2007 7:56 pm
by JellyFish
This is just for forgetting the password.
I'll have a forgot your password and username.
When they've forgotten their username, I 'll have them input there email, what else could I do?
When they've forgotten their password, I'll have them input there username and maybe there email(which is why I'm posting a question).
Or I could combine them all into a "Forgot Something" page and and just have them input an email, then send username and password to that email.
Please help me with this one. What do you guys usually do? What of the above to you believe to be most plausible?
Posted: Fri Jun 08, 2007 10:07 pm
by superdezign
JellyFish wrote:Or I could combine them all into a "Forgot Something" page and and just have them input an email, then send username and password to that email.
That'd be the best choice. That way, they can always refer to that e-mail if they deleted their confirmation email. And yea, I think nickvd was on to something with the either/or. I say they input whichever one(s) they want, and you work from there, but they're only required to input one of them.
Posted: Fri Jun 08, 2007 11:12 pm
by JellyFish
Well, if they can't remember their username, they type in the email address. If they can't remember their email address then they type in there username. But how are they supposed to know which email of theirs to check?
Posted: Tue Jun 19, 2007 11:41 am
by illievee
I am working on a forgotten password page too - 2 fields, username and email (to match with database).
I could generate a new random password, email the user, have the new password stored in the database (to the right user).
But i am having trouble logging in with the new password. I am using MD5 encrypting method.
Any help?
ps: i'm a total noob

Posted: Tue Jun 19, 2007 11:46 am
by Oren
illievee, please start a new topic (on the "PHP - Code" forum probably) and give us more details and maybe some related code.
Posted: Tue Jun 19, 2007 11:54 am
by jayshields
I haven't read this thread in detail, so sorry if this has already come up.
I just want to say that I dislike "lost your password" methods where the user enters their username and/or email address then the password is chnaged to something random and emailed to them. Why? So someone doesn't like a user on a website and knows their username and/or password, they can not only spam the system (slowing it down) but they can annoy the real user by making them grab this new password from their email and change it back everytime.
I much prefer a method where the user enters username and/or password, then a unique link is sent to them which, upon accessed, resets the password (eg. changes it to something random and then presents it to them in the webpage or a further email). If the link in the email is never clicked then the password remains the same as before.
Posted: Tue Jun 19, 2007 12:31 pm
by RobertGonzalez
How important is the security of the content behind the login? I ask because on the site I built for my company, I ask for their username (which is their email address) first, then if that is found, I take them to a second page where I ask them their password challenge question and accept their response. If that works, they get an email with a new password sent to their email on file. It also deactivates their account and creates an activation code, so they must present their account activation code after they get in the front door after changing their password.
If they don't remember their password challenge and response pair, they actually have to call and verify their identity over the phone using criteria in their account.