Beefy Boxes and Bandwidth Generously Provided by pair Networks
Come for the quick hacks, stay for the epiphanies.
 
PerlMonks  

Re: Re: Ecrypting passwords

by DrHyde (Prior)
on Oct 06, 2003 at 08:35 UTC ( [id://296886]=note: print w/replies, xml ) Need Help??


in reply to Re: Ecrypting passwords
in thread Ecrypting passwords

If you want to send password "reminders", then because the user has forgotten their password you don't really need to be able to retrive their old password and send it to them. Just generate a new password for them.

Replies are listed 'Best First'.
Re: Re: Re: Ecrypting passwords
by zakzebrowski (Curate) on Oct 06, 2003 at 11:40 UTC
    True... but there is still stuff to think about.
    • How do you verify that the person is indeed the person you think you're sending the password to?
    • Do you change the password immediatly as someone made the request, or do you wait to verify that the request was valid by verifiying the user through some other means... (If the person was on your site as the password was reset, this could be a bad thing...)
    Anyways, just a "thought exercise" first thing in the morning...
    Cheers.


    ----
    Zak
    undef$/;$mmm="J\nutsu\nutss\nuts\nutst\nuts A\nutsn\nutso\nutst\nutsh\ +nutse\nutsr\nuts P\nutse\nutsr\nutsl\nuts H\nutsa\nutsc\nutsk\nutse\n +utsr\nuts";open($DOH,"<",\$mmm);$_=$forbbiden=<$DOH>;s/\nuts//g;print +;
      How do you verify that the person is indeed the person you think you're sending the password to?

      There's no foolproof way of doing it if the user has forgotten the keys they need to authenticate with. Sending the new password to the email address the user registered with is good enough most of the time. Of course, if it were something like an online banking password, I'd get the customer to phone, maybe even have them go to their branch in person, and have a human authenticate them. (Let's not talk about how bad humans are at authenticating humans for now :-)

      Do you change the password immediatly as someone made the request, or do you wait to verify that the request was valid by verifiying the user through some other means.

      Depends on the circumstances. Most of the time, changing it immediately and notifying the customer by email is good enough. For some situations, you might want to email the customer to confirm that they want to reset their password.

      (If the person was on your site as the password was reset, this could be a bad thing...)

      Shouldn't matter, as no-one in their right mind would be sending the password across the wire with every HTTP transaction. They will instead have been given some token like a cookie to identify them for this session.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://296886]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others taking refuge in the Monastery: (6)
As of 2024-03-29 01:25 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found