On 30 Jun 2002 at 11:24, Lisi wrote: > 1) Storing the passwords using some form of encryption, which can be > reversed and the password can be emailed to the user.
> This seems to me to be preferable, since they don't have to change > their password whenever they forget it. However, are there security > issues with this? I'm not a security expert but I find it useful to see what others have done. In the old days I recall computers requiring that I change my password on a periodic basis. The comfort of my keeping the same password did not seem to be worth more than a need to secure my account. As a user I prefer to keep the same password. But I have accunts at least about 50 places. More and more people are now using usernames and passwords and pin numbers. I find that most people try to use the same combination everywhere. If I were concerned about security at my site I would choose a username and choose a password for the user and change the password periodically. But, I would be sure there is a mechanism for allowing the user to be reminded as he will forget. I would use the question/answer scenario and give out the password ONLY via a secure connection. I would not send it out via email where it could be read by anyone listening. I was doing a search on the web for something and I came across a site which had all the marketing material for a major ISP. The site was for their sales people etc. and it was password protected. It just so happened that a recent cohort had gone to work at this company. I called my boss over and asked him if we should try and get in. Guess what, my boss knew the favorite combo of our previous cohort and he entered it and presto we got in. I've written A LOT of apps that require username/password. Naturally the stakeholders never consider it an issue if a user should choose his username or if one should be assigned. My default is to assign but I've found that 99.9% of stakeholders think the user should decide. This is because they don't think the whole thing through ... so now you have to check if the username is taken and then present a screen to ask them to choose another of their favorite usernames that everyone knows they use .... and so on ... maybe you create a list of similar names that are not taken ... yadda .... I find it much better to just assign the name and so even though I know the stakeholders will disagree I hope they don't notice or consider to late in the game to change (and I consider it their fault for not specing the project before hand ... never been on such a project). >I know many people recommend the second method: > What are the advantages of this, since someone would need access to > the person's email address with either method 1 or 2 in order to steal > the password? > > What functions should I be looking at for encryption, for either > method? What are advantages and disadvantages of each method? Sending a username and password via email is an obvious security violation imho unless it's encrypted but NO ONE does this afaik. The best way, imho, is to send a special url to the users email. Okay. They click the url and connect to a secure connection where they now answer the questions you asked them when they signed up. If they answer correctly you then give them a new password and remind them what their username is. All SSL. But all of this is really just keeping drunks out. Every company asks the same questions and they seem to think that a person's SSN or mother's maiden name or pet name is somehow secure. I've seen some where the person choosed the question and answer ... now that's pretty good. My 2 cents. Peter -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php