Hi David, > In general, I've always designed systems with passwords stored in a > database as a one-way hash so that if the database gets compromised, > you're not giving up users' passwords (it's a PITA to tell everyone to > change their password). I encrypt the passwords in the browser (using > the same algorithm) and always transmit an encrypted password. > There's no place to peek. I provide a one-time link to a password > reset page if they forgot their password. That's sent to the email on > file (which they gave me).
not sure if I understand it well but it seems to me that your hash becomes the password. In other words, if I find out the hash, I can log in (e.g. using my own client). Cheers, Tomas -- UNSUBSCRIBE: mailto:[email protected]?subject=unsubscribe
