[thelist] hashing stored passwords (revisited)
Gary McPherson
genyus at ingenyus.net
Thu Jun 26 09:03:40 CDT 2003
> Gary
>
> .jeff's was is good and my way seems to add more work
> but has its benefits
>
> a) users, i think, would prefer to visit a link sent
> to them in the mail to activate/access, etc instead of
> copying and pasting or alt-tabbing to retype their
> password.
True, I can see your point there - it's certainly worth further
consideration.
>
> b) the way my system works is that the email reminder
> sends your a link that contains a temporary hash that
> will expire after a certain time. imagine somebody
> requesting their password and leaving town for two
> weeks possibly leaving his/her email inbox for someone
> to break in. not that email inboxes are targets these
> days but they could because, unfortunaltely, it is
> still a common practice for various sites to send your
> plaintext password to you via email.
Again, I agree with your thinking, but my alternative would be to
present the challenge question/secret answer when they return to enter a
new password.
>
> also, something that goes w/o saying is that users
> must verify their email addresses during registration
> and only then they will be helped via email in case
> they lose their password. otherwise, sombody at
> test at somewhere.com will be happily getting your 'lost
> password' communications to Chase.
Absolutely.
More information about the thelist
mailing list