The equivalent using the random password technique would simply involve
making the new random password only good for 24 hours.
Assuming the UUID is truly random (historically some versions of CF have
generated predictable UUIDs) both methods are equally effective from a
security standpoint.
-Cameron
-----------------
Cameron Childress
Sumo Consulting Inc.
---
cell: 678.637.5072
land: 858.509.3098
aim: cameroncf
email: [EMAIL PROTECTED]
-----Original Message-----
From: walker [mailto:[EMAIL PROTECTED]
Sent: Sunday, January 04, 2004 11:43 PM
To: CF-Talk
Subject: Re:Password Logic
Good thinking. This idea is much better.
-w
At 10:33 PM 1/4/2004, you wrote:
> >For best practices-sake, if the user forgets their password, you should
> >only be able to generate a new one and email it out
>
>I prefer not to send any password via mail (auto or user-generated. If a
>user forgets his/her password we do a couple of things:
>
>1- user must type the registered email in his account (assuming you ask
>for an email when registering and it is unique)
>2- an email with a link (which holds a random UUID) is sent to the user's
>3- the UUID and the user id is stored in the database along with date/time
>4- user has 24 hours to click on the link in the email... after this the
>link will be invalid (the link will also work only once...)
>5- when the user clicks the link, he/she gets two textfields to provide a
>new password (new password and confirmation)
>6- after that the password is reset to the new value
>
>a little complex but we mention this to the user in the emails sent that
>it is for his/her best interest not to send any kind of passwords via mail.
>
>hth
>
>mauricio
>
>----------
>[
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
