-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of silky Subject: Password Reset, was Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
>> Personally, I'll settle for never seeing my current password being >> sent to me in clear text again for whatever reason. Mailman, I'm >> looking at you, among others. > > Agreed, I mean I don't want to start a whole thread here or > miscelaneous security advice, but I do hope people realise that > the correct pattern is to generate an access token (that only allows > password reset), send that, allow only one login using it, and force > the user to come up with a new password. You should never send > the existing password (indeed, you should never even have it, it > should be hashed and salted). Unfortunately commercial reality means that there are many types of systems where the original password needs to be kept. ON your average Windows server, logging on a service using a service account requires Windows to keep the password somewhere. There are many systems that need to interact with other systems, and require the original password to do so. A hash isn't always sufficient. Cheers Ken
