[thelist] Retrieving password() field from a MySQL table

noah noah at tookish.net
Tue Jan 21 00:39:00 CST 2003 

At 01:24 AM 21/01/2003, Hassan Schroeder wrote:
>noah wrote:
>
>>People are lazy. If you do this, be sure to filter out people who enter
>>"schnauser53" as their challenge question.
>
>why? -- see below
>(snip)
>(1) perhaps people don't have as exalted an idea of the security
>     of your site as you do -- I've seen registration required for
>     utterly trivial sites that acted like they were protecting my
>     bank account *and* Dick Cheney's Unspecified Location(tm).
>
>     Excessive "security" demands on users lead to monitors swathed
>     in Post-Its with userids and passwords...

Granted, but insufficient security demands on users lead to private
information being compromised. Obviously you don't need to jump through
hoops to protect pictures of your cat, but I assumed since the poster wants
information on the best way to run a password authentication system that he
(or she, I'm afraid I don't remember) believes that this stuff needs
protecting. If you're going to bother to implement some form of security,
you might as well do it reasonably well.

>(2) if you're picking challenge questions, put some thought into
>     the big-picture implications; I'm *not* going to tell you my
>     mother's maiden name.
>
>     Lame generic questions? Well, sorry, I don't have a favorite
>     color, fabric, or tire tread pattern.
>
>     If you make me pick one, I'll forget it in five minutes, and
>     the next time I want to use your site, I'll be tasking your
>     customer service department for a password change, costing you
>     money (maybe) and good will (certainly).

Agreed. I don't think this method is much better.

I am by no means an expert on security, but of all the suggestions I've
seen in this thread, I think that resetting a forgotten password to
something new and then emailing that to the user is the best approach. Of
course, this doesn't account for the fact that their Hotmail password may
be the same as their username . . . :-)

Cheers,
Noah

More information about the thelist mailing list