If you had to pick what type of password reset system you used, which would it be!
I spent some time looking into different password reset, both sides of the coin sort of speaking… The user side and the dark side. If you think hard about it, the answer would not to have any users accounts! Looking at Zen Cart you have to ask yourself what is it you are protecting. For me, I prefer not to hold any card or payment information on my servers or SQL database. The only thing I’m trying to protect is the user information, address, phone number. I don’t ask for birth dates.
So looking at the possible coding I can find only three possible solutions, 1) email a password and hope they change it. 2) create a token, email it attached to an URL, if the token matched, let them change there password. 3) have them create a answer to a question, if email, question right, let them change there password.
I don’t like the current method of emailing a password and hoping they will change it. Sending the URL with a token is good, but what happens when the email address is dead? I’ve ran into this problem and had to call them to get the password changed. I like the idea of keeping them on site and giving them self-help or even better how about letting them pick a solution. Options like pick how you wish to reset your password please!
I’ve completed working to code my solution, here’s your opportunity to give it a go.