Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things

Re: Re: Re: Re: Ecrypting passwords

by DrHyde (Prior)
on Oct 06, 2003 at 14:01 UTC ( #296939=note: print w/replies, xml ) Need Help??

in reply to Re: Re: Re: Ecrypting passwords
in thread Ecrypting passwords

How do you verify that the person is indeed the person you think you're sending the password to?

There's no foolproof way of doing it if the user has forgotten the keys they need to authenticate with. Sending the new password to the email address the user registered with is good enough most of the time. Of course, if it were something like an online banking password, I'd get the customer to phone, maybe even have them go to their branch in person, and have a human authenticate them. (Let's not talk about how bad humans are at authenticating humans for now :-)

Do you change the password immediatly as someone made the request, or do you wait to verify that the request was valid by verifiying the user through some other means.

Depends on the circumstances. Most of the time, changing it immediately and notifying the customer by email is good enough. For some situations, you might want to email the customer to confirm that they want to reset their password.

(If the person was on your site as the password was reset, this could be a bad thing...)

Shouldn't matter, as no-one in their right mind would be sending the password across the wire with every HTTP transaction. They will instead have been given some token like a cookie to identify them for this session.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://296939]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others examining the Monastery: (3)
As of 2021-04-21 04:55 GMT
Find Nodes?
    Voting Booth?

    No recent polls found