Hashing passwords may be the way to go, but how does everyone handle emailing lost passwords to users? Just assign them a new password and force them to use it?
But I guess big sites (like Amazon) don't hash because they send the current password. Chris Lofback Sr. Web Developer TRX Integration 28051 US 19 N., Ste. C Clearwater, FL 33761 www.trxi.com > -----Original Message----- > From: Stacy Young [mailto:[EMAIL PROTECTED]] > Sent: Thursday, July 25, 2002 10:12 AM > To: CF-Talk > Subject: RE: Client Database question > > > One way hash on passwords definitely the way to go... > > > -----Original Message----- > From: S. Isaac Dealey [mailto:[EMAIL PROTECTED]] > Sent: Thursday, July 25, 2002 10:05 AM > To: CF-Talk > Subject: RE: Client Database question > > > Basically, this is why I've never set usernames and passwords as > > client variables. However, not allowing SELECTs would stop anyone > > from stealing them in this manner. I just always figured that > > restricting SQL operations would also restrict CF from > SELECTing, and > > UPDATEing. But some testing shows it doesn't affect CF in writing or > > accessing client variables. > > I wold still avoid setting either username or password as > client variables > personally... and tend to hash() passwords as they're going > into the db > also. For that matter, if I wanted to be particularly strict > about security, > I would hash the usernames also, :) since I never display the > usernames. ( > i.e. like AOL/AIM's login with your screenname that's readily > available to > everyone. ) > > > Isaac Dealey > > www.turnkey.to > 954-776-0046 > > ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
