On 30 Jun 2002 at 11:24, Lisi wrote:

> 1) Storing the passwords using some form of encryption, which can be
> reversed and the password can be emailed to the user.

> This seems to me to be preferable, since they don't have to change
> their password whenever they forget it. However, are there security
> issues with this? 

I'm not a security expert but I find it useful to see what others have done. In the 
old days I recall computers requiring that I change my password on a periodic basis. 
The comfort of my keeping the 
same password did not seem to be worth more than a need to secure my account. As a 
user I prefer to keep the same password. But I have accunts at least about 50 places. 
More and more 
people are now using usernames and passwords and pin numbers. I find that most people 
try to use the same combination everywhere. If I were concerned about security at my 
site I would 
choose a username and choose a password for the user and change the password 
periodically. But, I would be sure there is a mechanism for allowing the user to be 
reminded as he will forget. I 
would use the question/answer scenario and give out the password ONLY via a secure 
connection. I would not send it out via email where it could be read by anyone 
listening.

I was doing a search on the web for something and I came across a site which had all 
the marketing material for a major ISP. The site was for their sales people etc. and 
it was password 
protected. It just so happened that a recent cohort had gone to work at this company. 
I called my boss over and asked him if we should try and get in. Guess what, my boss 
knew the favorite 
combo of our previous cohort and he entered it and presto we got in. 

I've written A LOT of apps that require username/password. Naturally the stakeholders 
never consider it an issue if a user should choose his username or if one should be 
assigned. My default is to 
assign but I've found that 99.9% of stakeholders think the user should decide. This is 
because they don't think the whole thing through ... so now you have to check if the 
username is taken and 
then present a screen to ask them to choose another of their favorite usernames that 
everyone knows they use .... and so on ... maybe you create a list of similar names 
that are not taken ... 
yadda .... I find it much better to just assign the name and so even though I know the 
stakeholders will disagree I hope they don't notice or consider to late in the game to 
change (and I consider it 
their fault for not specing the project before hand ... never been on such a project).

>I know many people recommend the second method:
> What are the advantages of this, since someone would need access to
> the person's email address with either method 1 or 2 in order to steal
> the password?
> 
> What functions should I be looking at for encryption, for either
> method? What are advantages and disadvantages of each method?

Sending a username and password via email is an obvious security violation imho unless 
it's encrypted but NO ONE does this afaik.  The best way, imho, is to send a special 
url to the users 
email. Okay. They click the url and connect to a secure connection where they now 
answer the questions you asked them when they signed up. If they answer correctly you 
then give them a new 
password and remind them what their username is. All SSL. 

But all of this is really just keeping drunks out. Every company asks the same 
questions and they seem to think that a person's SSN or mother's maiden name or pet 
name is somehow secure. 
I've seen some where the person choosed the question and answer ... now that's pretty 
good. 

My 2 cents.


Peter



-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to