If someone loses their password you can ask them to provide their email address. Send an authorizing link to their email account in the form of a URL that passes a generated password as a parameter.
Let's say for a FB app for instance: http://www.mydomain.com/index.cfm?fuseaction=security.authorize&email=joeblo [EMAIL PROTECTED]&password=df4TG6Hf Your application then validates this password in your DB, and if it matches prompt the user for a new password.... Rather painless technic...user doesn't have to remember any cryptic passwords or what not...just remember that you'll want two columns for passwords...one for the actual password and another for generated passwords...this is to safeguard against anyone entering anyone elses email address and resetting their passwords. Stace -----Original Message----- From: Chris Lofback [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 25, 2002 10:12 AM To: CF-Talk Subject: Hashed passwords Hashing passwords may be the way to go, but how does everyone handle emailing lost passwords to users? Just assign them a new password and force them to use it? But I guess big sites (like Amazon) don't hash because they send the current password. Chris Lofback Sr. Web Developer TRX Integration 28051 US 19 N., Ste. C Clearwater, FL 33761 www.trxi.com > -----Original Message----- > From: Stacy Young [mailto:[EMAIL PROTECTED]] > Sent: Thursday, July 25, 2002 10:12 AM > To: CF-Talk > Subject: RE: Client Database question > > > One way hash on passwords definitely the way to go... > > > -----Original Message----- > From: S. Isaac Dealey [mailto:[EMAIL PROTECTED]] > Sent: Thursday, July 25, 2002 10:05 AM > To: CF-Talk > Subject: RE: Client Database question > > > Basically, this is why I've never set usernames and passwords as > > client variables. However, not allowing SELECTs would stop anyone > > from stealing them in this manner. I just always figured that > > restricting SQL operations would also restrict CF from > SELECTing, and > > UPDATEing. But some testing shows it doesn't affect CF in writing or > > accessing client variables. > > I wold still avoid setting either username or password as > client variables > personally... and tend to hash() passwords as they're going > into the db > also. For that matter, if I wanted to be particularly strict > about security, > I would hash the usernames also, :) since I never display the > usernames. ( > i.e. like AOL/AIM's login with your screenname that's readily > available to > everyone. ) > > > Isaac Dealey > > www.turnkey.to > 954-776-0046 > > ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
