Hi David,

> In general, I've always designed systems with passwords stored in a
> database as a one-way hash so that if the database gets compromised,
> you're not giving up users' passwords (it's a PITA to tell everyone to
> change their password).  I encrypt the passwords in the browser (using
> the same algorithm) and always transmit an encrypted password.
> There's no place to peek.  I provide a one-time link to a password
> reset page if they forgot their password.  That's sent to the email on
> file (which they gave me).

not sure if I understand it well but it seems to me that your hash
becomes the password.  In other words, if I find out the hash, I can log
in (e.g. using my own client).


UNSUBSCRIBE: mailto:picol...@software-lab.de?subject=unsubscribe

Reply via email to