[thelist] hashing stored passwords (revisited)
Aredridel
aredridel at nbtsc.org
Wed Jun 25 15:17:18 CDT 2003
On Wed, 2003-06-25 at 14:11, ted serbinski wrote:
> > > So aside from him being able to use a user's password on another site
> > > or for a different resource where the same username/password combo
> > > existed, does it enhance the security of a website at all?
>
> The only question I have with hashing a password is, what if a user forgets
> his/her password?
>
> The only way I can think of to fix this error is to have the user enter a
> secret question/answer, but to me, that doesn't seem too secure at all (I
> mean if the answer is just some word like "denver" that wouldn't be too hard
> to crack).
Have it be double or triple-authenticated: Send them an email, if they
can receive it, they go to a secret URL with a hash in it -- track the
hashes so they can't be re-used. At that point, they answer a secret
question, and at that point, it could be called equivalent to password
auth, and allow them to change their password. Adding a third
requirement may not be possible depending on how much information you
collect.
> So how do you guys get around this? I'm looking to implement hashing in a
> future project and this was the only problem I couldn't really figure out.
> Thanks.
I go with a when-in-doubt, have them contact the admin, and have some
sort of verification question that's only used over a semi-secure
channel.
Ari
>
> ted
>
More information about the thelist
mailing list