Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling
 
PerlMonks  

Re: Re: Re: Ecrypting passwords

by zakzebrowski (Curate)
on Oct 06, 2003 at 11:40 UTC ( #296910=note: print w/replies, xml ) Need Help??


in reply to Re: Re: Ecrypting passwords
in thread Ecrypting passwords

True... but there is still stuff to think about.
  • How do you verify that the person is indeed the person you think you're sending the password to?
  • Do you change the password immediatly as someone made the request, or do you wait to verify that the request was valid by verifiying the user through some other means... (If the person was on your site as the password was reset, this could be a bad thing...)
Anyways, just a "thought exercise" first thing in the morning...
Cheers.


----
Zak
undef$/;$mmm="J\nutsu\nutss\nuts\nutst\nuts A\nutsn\nutso\nutst\nutsh\ +nutse\nutsr\nuts P\nutse\nutsr\nutsl\nuts H\nutsa\nutsc\nutsk\nutse\n +utsr\nuts";open($DOH,"<",\$mmm);$_=$forbbiden=<$DOH>;s/\nuts//g;print +;

Replies are listed 'Best First'.
Re: Re: Re: Re: Ecrypting passwords
by DrHyde (Prior) on Oct 06, 2003 at 14:01 UTC
    How do you verify that the person is indeed the person you think you're sending the password to?

    There's no foolproof way of doing it if the user has forgotten the keys they need to authenticate with. Sending the new password to the email address the user registered with is good enough most of the time. Of course, if it were something like an online banking password, I'd get the customer to phone, maybe even have them go to their branch in person, and have a human authenticate them. (Let's not talk about how bad humans are at authenticating humans for now :-)

    Do you change the password immediatly as someone made the request, or do you wait to verify that the request was valid by verifiying the user through some other means.

    Depends on the circumstances. Most of the time, changing it immediately and notifying the customer by email is good enough. For some situations, you might want to email the customer to confirm that they want to reset their password.

    (If the person was on your site as the password was reset, this could be a bad thing...)

    Shouldn't matter, as no-one in their right mind would be sending the password across the wire with every HTTP transaction. They will instead have been given some token like a cookie to identify them for this session.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://296910]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others romping around the Monastery: (5)
As of 2021-04-20 05:02 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?