(I'm very grateful for all replies. Maybe some expert can answer other than the noble gdemaria, who I am prob gonna drive to drink with my incessant questions.)
Platform: CFMX 7, MS Access 2003
I've been looking in CFMX Bible and the Forta CFMX 7 book for a model or example that I can emulate, but have not found anything. Here's the problem. I need a way for a user to recover her password should she lose it.
I have a table, Users, that has these columns:
Password (this is a hashed value)
Salt (this is a salted value)
Users are able to register their information, and select a password. That password is salted and hashed, then stored in the database.
What if user forgets her password?
She could go to the login.cfm page and click on a link, "Lost your password?", which should take her to a password recovery page. That recovery page would have a simple form and a Submit button. She would enter her email, and her password would get emailed to her.
I imagine I can do that using the handy CFMAIL tag. But how do I retrieve that salted and hashed password from my table Users, above, and contain it within an email sent to the email address the user specified?
That might not be possible. My understanding of salt and hash is, you're not supposed to be able to unsalt and unhash it. At least not without a big computer and a lot of time. Correct?
I don't think there's a CF function to unsalt and unhash a password.
* Interesting Wiki article on Salt cryptography: http://en.wikipedia.org/wiki/Salt_%28cryptography%29
So, I am thinking of a Plan B. A user should be able to reset her password. She would need to be able to do so without logging in, of course. So she needs to be able to enter her email address in the Password Recovery (or, Password Reset) form, and then, several things happen:
1. a new password is generated randomly, salted and hashed, and stored in the database, replacing the old values
2. this new password, in plain text, is emailed to her
She contacts the site admin and asks for a new password.
Plan D: Some other plan I have not thought of.
What is your view of this situation? I need some means to assist a user who has lost her (salted, hashed) password.