Which approach of these two is better?

[ralphigo]

I'm in dilemma to use one of the options for forgot my password. Please list out the reasons to support which one is better.

1.The user is emailed a link to a page where he can reset his password if he or someone uses the forgot my password option.

2. The user is emailed the old password if he or someone uses the forgot my password option.

I would like to know which do u think is better in all aspects and why?

I hope to see some good replies ASAP.

 

[victor_rambo]

In my application, this is how I do it:

1. If a user requests resetting of password, he is asked to enter his username/email/both. An email is sent to that user to ask if he really had requested the password reset.
2. If the user confirms that he has requested the password reset, then the new password is generated and emailed to the user.

Note that password is not yet changed in step 1 because it could be some other person trying to reset somebody's account.

Important:
If you are emailing the old password, it means that the application is not secure. Passwords can be stolen by anybody who has access to the database.

If you are desiging some web application/website, I would advise you to read more on security.

The best way to store authentication details is to use salts and hash of salted passwords. Simply hashes is also not that secure.