Re: Handling forgotten passwords
- From: Erik Funkenbusch <erik@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 11 Jun 2006 23:15:20 -0500
On Sun, 11 Jun 2006 22:23:39 -0500, Showjumper wrote:
A question regarding forgotten passwords - As i understand it, it is best
and most secure to use a 1 way hash+salt to store passwwords, and then if
the user has forgotten the password, generate a new password and then email
to them. What i dont understand how that is any more secure than using a
reversible encryption to store the password which would allow decrypting and
then emailing it to the user. In both cases, an email is still sent w/ a
password.
Why email them their password? They already entered it, they know what it
is.
The thing to keep in mind is that if someone breaks into your server (not
something most people want to think about), can they get your users data
somehow?
.
- References:
- Handling forgotten passwords
- From: Showjumper
- Handling forgotten passwords
- Prev by Date: How sell ownership of websites?
- Next by Date: Re: MemberShip Question
- Previous by thread: Re: Handling forgotten passwords
- Next by thread: How sell ownership of websites?
- Index(es):
Relevant Pages
|
