[thelist] hashing stored passwords (revisited)

klute soundres9 at yahoo.com
Thu Jun 26 08:23:04 CDT 2003


Gary

.jeff's was is good and my way seems to add more work
but has its benefits

a) users, i think, would prefer to visit a link sent
to them in the mail to activate/access, etc instead of
copying and pasting or alt-tabbing to retype their
password.

b) the way my system works is that the email reminder
sends your a link that contains a temporary hash that
will expire after a certain time. imagine somebody
requesting their password and leaving town for two
weeks possibly leaving his/her email inbox for someone
to break in. not that email inboxes are targets these
days but they could because, unfortunaltely, it is
still a common practice for various sites to send your
plaintext password to you via email.   

also, something that goes w/o saying is that users
must verify their email addresses during registration
and only then they will be helped via email in case
they lose their password. otherwise, sombody at
test at somewhere.com will be happily getting your 'lost
password' communications to Chase.

james

--- Gary McPherson <genyus at ingenyus.net> wrote:
> > simple.  just generate a new, random password,
> hash it, and 
> > stuff it in the database.  take this newly created
> password 
> > and email it to the email account on record.  give
> them a 
> > lookup by both username and email address. make
> sure to 
> > constrain accounts so there are no duplicates of
> either.
> > 
> > .jeff
> 
> I'm developing an application which could make good
> use of password
> hashing, had a look at Jamie's earlier suggestion
> which made sense - but
> yours seems to involve a _lot_ less work to
> implement. As I am
> generating random passwords sent via email (to
> validate their email
> adresses) and forcing them to reset on first login,
> I could simply
> repeat the process for forgotten passwords.
> 
> Unless anyone can think of a good reason not to?
> 
> Gary
> 
> 
> -- 
> * * Please support the community that supports you. 
> * *
> http://evolt.org/help_support_evolt/
> 
> Evolt.org conference in London, July 25-27 2003. 
> Register today at http://evolt.org.uk
> 
> For unsubscribe and other options, including the Tip
> Harvester 
> and archives of thelist go to:
> http://lists.evolt.org 
> Workers of the Web, evolt ! 


__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com


More information about the thelist mailing list