Originally Posted by V_RocKs

Best practices:

Encrypt the password in the DB using something sweet like MD5 or SH1.

#1, Then when someone types in their password, the login script encrypts what they wrote and checks it with what is in the DB. If both encrypted passwords match, the person typed in the right unencrypted password in the form.

#2, Make your password for the affiliate. If you did #1 correctly and someone can't decrypt your stolen DB, it doesn't matter because they stole the unencrypted DB of your competition and guess what, 85% of webmasters use the same password EVERYWHERE.

#3, Have them create a secret question that must be answered with a phrase. Don't use stupid questions like, what is your favorite color. 70% of the world prefers blue and 98% prefer a primary or secondary color. That leaves only 9 colors to play with and you are in on EVERY account. A better question would be, What is the best part of your lover: and it should be answered with a phrase. She has a great ass. The script would check for a minimum of 3 spaces and a length of atleast 16 characters. This way you know it was a phrase...

#4 Answering it correctly would send an email to the email they signed up with. They should not just get direct access to the account.

#5 Emails must be from ISP's, not free accounts or domains owned by the affiliate. Hack their server and you get to read all their email.