[thelist] hashing stored passwords (revisited)

Gary McPherson genyus at ingenyus.net
Thu Jun 26 09:03:40 CDT 2003


> Gary
> 
> .jeff's was is good and my way seems to add more work
> but has its benefits
> 
> a) users, i think, would prefer to visit a link sent
> to them in the mail to activate/access, etc instead of
> copying and pasting or alt-tabbing to retype their
> password.

True, I can see your point there - it's certainly worth further
consideration.

> 
> b) the way my system works is that the email reminder
> sends your a link that contains a temporary hash that
> will expire after a certain time. imagine somebody
> requesting their password and leaving town for two
> weeks possibly leaving his/her email inbox for someone
> to break in. not that email inboxes are targets these
> days but they could because, unfortunaltely, it is
> still a common practice for various sites to send your
> plaintext password to you via email.   

Again, I agree with your thinking, but my alternative would be to
present the challenge question/secret answer when they return to enter a
new password.

> 
> also, something that goes w/o saying is that users
> must verify their email addresses during registration
> and only then they will be helped via email in case
> they lose their password. otherwise, sombody at 
> test at somewhere.com will be happily getting your 'lost 
> password' communications to Chase.

Absolutely.




More information about the thelist mailing list