How to send password with confirmation email (PHP)
Question
First off, I realize this is an extremely bad practice - however, I've seen sites that do this, and I was wondering.
Is there anyway to send a password along with registration details, and still have the password stored as a hash?
So, basically, upon registration, the user receives a confirmation email, along with their username and password, to save for reference. When a website does this, do they store the password as a hash, or as plaintext?
The password is stored as plaintext in the email- however, is it simply stored as plaintext in the server, or hashed after the email is sent?
This may seem like an odd question, but since I've seen many sites doing this, I 'd like to know- was my initial assumption wrong? So, is this practice actually a bad one, or is it secure? (I see no other reason so many sites would do this)
2 answers
solution1
3 ACCPTED 2016-10-06 13:56:22
"@Fred-ii- Could you copy/paste that comment as an answer? I – Zack105"
As requested:
"however, is it simply stored as plaintext in the server, or hashed after the email is sent?"
We don't know how every service is used and what they really do. Some may store passwords as plain text, some may hash. Some may store plain text passwords inside a different location with a lock & key, some may do that and hash; it can be anything.
If you're going to want to start a service of your own or is for a user signup site, then store passwords as a hash and not as plain text. There are too many scenarios for what you asked. I hope we've given you enough to get started.
Another thing if you don't know about this, are prepared statements and should be used if you are wanting to get user input and will help against a possible SQL injection.
References:
- https://en.wikipedia.org/wiki/Prepared_statement
- https://en.wikipedia.org/wiki/SQL_injection
- http://php.net/manual/en/book.password.php
A comment from deceze , pulled from a (now deleted) answer:
I quote:
"Best practice is to let the user choose their own password, and to never store or send it in plaintext at any point. The password is a secret which must solely exist in the user's head (or secure password manager). The security of the user's account depends on the secrecy of the password. The more the password is being exposed in plaintext, the lower the security of the account." – deceze
solution2
1 2016-10-06 13:23:41
Don't. It's that simple. Sites that do this do it out of laziness. They don't ever want support calls asking for passwords, or a technologically illiterate person has forced IT to do it. Passwords should never be sent over the wire in plaintext. People are stupid and reuse passwords, etc. If you're so worried that people have already forgotten their passwords, send them a link to your password reset page in that email.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.