Lol, how does that work?
So then there's two passwords, one that I can use, and the other is the reset one. But once I log in using the reset one, that becomes the new password? What if somebody is trying to recover their password, but I'm just repeatedly clicking the reset button, lol. Of if all the passwords are valid, can't I just click the reset button a million times, and then probably just type anything and have it be one of the reset passwords? I don't really like this system, but then, it's hard to think of something else when you don't really know how people actually do it. You're sure that there's no hole...?

There are two fields in the database, one for the regular password, and another for the reset one. Reseting your password fills the reset-password field with a randomly generated password, and each time you log in it checks to see if your password matches any one of them. But remember that you need your current password if you want to change it to a new password, so it doesn't clear the reset-password field until you change your password again. The email you get clearly tells you to change your password right away.

I don't know if I like the idea of somebody clicking the reset button on my account, and now there's another password floating around that can be used to log into my account with.

Did any of our members sign up using fake emails? New members should be relatively protected from this because of verification, but if you email doesn't exist, I could create it and...

You are confusing me.

!!! I can now ask about it! I think in the old interguild (2006 - 2008) was that verification code. I think because of it I didn't log in there. There was also one e-mail for one user rule. Don't think about it!

The problem is that without a password, it's hard to make sure that the user is legitimate. You know what, I'm gonna set up a pruning device so that whenever you successfully log in using the real password, it'll clear the reset-password field.

maybe we could force everyone to verify their emails before being able to log in again? Sounds like a pain, actually...

Lol, don't do that. But there's a way to tell whether or not they exist, right?

Lol i was about to post what csd said. then i read livio's answer, and that's pretty cool.

this is good

other than sending them an email? I don't know, maybe I should look it up...

I just looked it up and it turns out there is a way to check if an email exists using php and without having to send them mail. I should probably try that on all of the users emails to see how many of them don't exist. And I could probably add that check to the register page too.

Btw, I looked at how dekudude runs the password-rest system on his site, and he sends two emails: one confirming whether you want to reset your password, and then another that actually resets it. Maybe doing it like that would be theoretically more secure because you wouldn't have two passwords at any one time...

I swear, Livio, you always code things beyond necessary. Why don't you just use the standard "forgot your password" system and make it so that the currently used password of the account is sent to the email address? There's no need to mix things up with a reset password. But, uh, yeah, email verification was a good implementation.

While that may be true, it's just that passwords are so secure that I cannot retrieve them from the database. They are encoded into some code, and there is no way to decode them (and that's the point of the system).