[thelist] hashing stored passwords (revisited)

klute soundres9 at yahoo.com
Wed Jun 25 15:24:37 CDT 2003 

I am using a pretty good model to deal with hashed and
 forgotten passwords:

1) i like to store two user id's in user database: one
is their username and the other is a random opaqueId
that gets generated during registration and is stored
in the user table.
   
2) verify user's email address during registration
(send him/her a confirmation email and ask to visit a
link). the opaqueId gets sent on the query string
within the verification email.
   
3) when user forgets password, he enters his username
and gets help ONLY if the email was previously
verified. in this case, a new random temp id is
generated for this request. it is associated with a
particular username and temporarily gets stored either
in memory (not session) on the web server or in a
special table in the database along with the timestamp
when it was created.

4) an email is sent to the user with a link that
includes that temporary random value on the query
string.
    
5) when the user visits the url received, the temp key
value gets looked up to see what username is
associated with it. then, he/she is auto-logged in and
is presented with a "choose new password" form. note,
once the url is visited, the temporary random key
expires and gets deleted (it will also expire if the
url was not visited for a specific period of time)


hope this makes sense and helps. if not, ask away
james


--- ted serbinski <tss24 at cornell.edu> wrote:
> > > So aside from him being able to use a user's
> password on another site
> > > or for a different resource where the same
> username/password combo
> > > existed, does it enhance the security of a
> website at all?
> 
> The only question I have with hashing a password is,
> what if a user forgets
> his/her password?
> 
> The only way I can think of to fix this error is to
> have the user enter a
> secret question/answer, but to me, that doesn't seem
> too secure at all (I
> mean if the answer is just some word like "denver"
> that wouldn't be too hard
> to crack).
> 
> So how do you guys get around this? I'm looking to
> implement hashing in a
> future project and this was the only problem I
> couldn't really figure out.
> Thanks.
> 
> ted
> 
> 
> -- 
> * * Please support the community that supports you. 
> * *
> http://evolt.org/help_support_evolt/
> 
> Evolt.org conference in London, July 25-27 2003. 
> Register today at http://evolt.org.uk
> 
> For unsubscribe and other options, including the Tip
> Harvester 
> and archives of thelist go to:
> http://lists.evolt.org 
> Workers of the Web, evolt ! 


__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

More information about the thelist mailing list