On Thu, Mar 15, 2007 at 05:56:47PM -0400, The Editor wrote: > >Normally one does not "unencrypt" passwords. Instead, the way > >passwords work is that one stores the encrypted form of a password, > >and to check if an entered password matches the stored one, you > >simply re-encrypt the entered password and make sure that the > >resulting encryptions match. > > Ahhh, thanks Pm. Very clever. But then how does one send a password > reminder? Or is that not normally done?
Normally I'm not a fan of "password reminder" systems, as it means that the password is sent via email (in cleartext), and thus cannot be trusted after being sent. What many systems do is send a message containing a link to be followed in order to reset the password. The link contains a one-time-use code (essentially a random number) that allows the password to be changed for a limited period of time. The person receiving the mail can then use this link to regain access to the account, and change the password to a known value. Pm _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
