In that case, your clients are screwed.
Happy to help!
-dhs
(FWIW, Basic AuthN is HORRIBLY insecure and should be avoided at all
cost.)
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"What is objectionable, what is dangerous about extremists is not
that they are extreme, but that they are intolerant."
-- Robert F. Kennedy, 1964
On Jul 13, 2007, at 4:38 PM, Cheyenne Throckmorton wrote:
In most of our applications that we run our basic authentication is
to have them provide their email address as a username and then a
password.
We store that password hashed with salt onto our databases, and
have no real way of knowing what it is. If a user forgets their
password then they have the system email them a link with a URL
with a GUID variable that takes them to a page where they can reset
their password to whatever they want again, and again only its hash
is stored in our databases.
Now this is all fine and dandy, except what happens if this person
both forgets their password and changes email, say they changed
jobs and no longer have access to the old email, how do you now
authenticate this person?
Currently, we don't have any secret questions or the like set up,
but is that the only way.
Just curious on some of your ideas out there on how you do
authentication, especially in the case of changed email and
forgotten password.
Cheyenne
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
