Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options
 
PerlMonks  

Re: Web based password management (or how *not* to blame tye)

by aersoy (Scribe)
on Mar 24, 2002 at 22:56 UTC ( [id://153960]=note: print w/replies, xml ) Need Help??


in reply to Web based password management (or how *not* to blame tye)

Since the passwords are stored encrypted, then you can't very well send it to them. So, the password can be reset to a new random one using Crypt::RandPasswd and emailed to the email address stored in the database for user john. If we have the public PGP key for 'john' then we PGP encrypt the message. (it does no good to email the password in the clear if there's a black hat sniffing traffic).

Do not do that! Really, never send a cleartext password to an email address. IF you have their public PGP key, then it can be applicable, but not otherwise.

If you don't have the key, try this instead: Ask for a login name or an email address. Make sure it exists in your database. If it's not an email, get the email associated with it from your records. Create a temporary, rather long random key and save it somewhere, along with the data they entered. Send them an email and ask them to go to an URL like this: http://www.example.com/reset_pass?key=<random_key>. That page will hold a simple form to enter a username (or email, in case username can be forgotten, too) and a new password, twice. When they submit that, compare the key with the one you saved and take action if, and only if, those keys match.

This way, you can avoid sending passwords in clear case (well, partially). Plus, the password you create can be quite complex, thus make the user type it rather slowly. I can usually guess what people type just by looking at their fingers, and it's really easy if you know the keyboard well and they don't. This kind of thievery will be avoided, also.

And for the last issue, I myself would not try to automate this, too. I think it needs to be handled in person. Ask other questions along with the one in the database, if applicable (ie. 'when did you first create the account', 'when did you last logged in'. If this information is public, then they are no use, of course.) If the answer is accurate, then you can consider changing the email address in the database with the new one and ask for a new password. Otherwise, it's best asking them to simply create a new account.

--
Alper Ersoy

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://153960]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others sharing their wisdom with the Monastery: (7)
As of 2024-03-29 09:13 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found