I've now had a chance to look at the way SkaDate does passwords. It stores them in plain text (i.e. human readable). This is a mistake!! Passwords should NEVER be stored in plain text or sent by e-mail. (I hoped SkaDate didn't do it, but it does). I will say that it is quite common for websites (including dating websites) to store passwords as plain text, but that does not make it right.
This is how passwords SHOULD be done:
- the password is NOT displayed when you type it in (most people get this right)
- the password should only ever be stored as a one-way hash value (e.g. md5, see for example
http://be.php.net/md5 ), meaning that you can get the password in, but you cannot get back what the original password was
- when a user logs in again, they type in their password, that is converted to an md5 hash, compared with the one in the database, and if they match, the user is let in.
- if they lose their password, they can be sent (to the e-mail on file) a machine generated, temporary new one, which must be changed on entering the system
One of the dangers of storing passwords as plain text is that if anyone hacks into the database, if they manage to get the profile table they get all the passwords!! With a hash value this is never possible, and so is extremely secure.
Will you make this change?
