On Thu, 2005-11-24 at 18:03 +0100, Michiel Meeuwissen wrote: > Simon Groenewolt wrote: > > Kees Jongenburger wrote: > > >for my project I store a generated key in the user object > > >and use the userid/key combo for auto login > > >and the username/password as login screen > > > > That was exactly what I meant :-) > > So, that field is like an alternative password, and about as good, > because if you have it, you only need to offer it as a cookie.... I > think you don't use one of the existing mmbase security implementation > then?
My main reason for generating an 'alternative' password would be that some users choose to use the same password for different applications - if that same password is stored plain-text it poses not only a security threat to the mmbase-access but also to other password-secured applications. Even if you only look at the security of mmbase storing the generated password might be little bit better. Apart from the 'hard to remember' part you mention, you could also disallow changing the password without entering the 'real' one, thereby making it a little bit harder for someone to easily take over an account. Simon _______________________________________________ Developers mailing list [email protected] http://lists.mmbase.org/mailman/listinfo/developers
