[thelist] hashing stored passwords (revisited)

Gary McPherson genyus at ingenyus.net
Wed Jun 25 18:23:10 CDT 2003


> simple.  just generate a new, random password, hash it, and 
> stuff it in the database.  take this newly created password 
> and email it to the email account on record.  give them a 
> lookup by both username and email address. make sure to 
> constrain accounts so there are no duplicates of either.
> 
> .jeff

I'm developing an application which could make good use of password
hashing, had a look at Jamie's earlier suggestion which made sense - but
yours seems to involve a _lot_ less work to implement. As I am
generating random passwords sent via email (to validate their email
adresses) and forcing them to reset on first login, I could simply
repeat the process for forgotten passwords.

Unless anyone can think of a good reason not to?

Gary




More information about the thelist mailing list