> Hashing passwords may be the way to go, but how does everyone handle > emailing lost passwords to users? Just assign them a new > password and force them to use it?
Email them a random new password, and then make them change it the very first time the login with it. -Cameron ----------------- Cameron Childress Sumo Consulting Inc. --- cell: 678-637-5072 aim: cameroncf email: [EMAIL PROTECTED] > -----Original Message----- > From: Chris Lofback [mailto:[EMAIL PROTECTED]] > Sent: Thursday, July 25, 2002 10:12 AM > To: CF-Talk > Subject: Hashed passwords > > > Hashing passwords may be the way to go, but how does everyone handle > emailing lost passwords to users? Just assign them a new > password and force > them to use it? > > But I guess big sites (like Amazon) don't hash because they > send the current > password. > > Chris Lofback > Sr. Web Developer > > TRX Integration > 28051 US 19 N., Ste. C > Clearwater, FL 33761 > www.trxi.com > > > > -----Original Message----- > > From: Stacy Young [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, July 25, 2002 10:12 AM > > To: CF-Talk > > Subject: RE: Client Database question > > > > > > One way hash on passwords definitely the way to go... > > > > > > -----Original Message----- > > From: S. Isaac Dealey [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, July 25, 2002 10:05 AM > > To: CF-Talk > > Subject: RE: Client Database question > > > > > Basically, this is why I've never set usernames and passwords as > > > client variables. However, not allowing SELECTs would stop anyone > > > from stealing them in this manner. I just always figured that > > > restricting SQL operations would also restrict CF from > > SELECTing, and > > > UPDATEing. But some testing shows it doesn't affect CF in > writing or > > > accessing client variables. > > > > I wold still avoid setting either username or password as > > client variables > > personally... and tend to hash() passwords as they're going > > into the db > > also. For that matter, if I wanted to be particularly strict > > about security, > > I would hash the usernames also, :) since I never display the > > usernames. ( > > i.e. like AOL/AIM's login with your screenname that's readily > > available to > > everyone. ) > > > > > > Isaac Dealey > > > > www.turnkey.to > > 954-776-0046 > > > > > ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
