On Wed, Nov 18, 2009 at 8:19 AM, André Allavena <[email protected]>wrote:
> 2009/11/18 Jeremy Evans <[email protected]>: > > On Nov 18, 6:57 am, Scott LaBounty <[email protected]> wrote: > >> All, > >> > >> I've just put up another post Ramaze / Sequel. This one talks about > letting > >> a user know their password if they forget. Let me know if you find any > >> issues. > >> > >> http://steamcode.blogspot.com/2009/11/forgot-password.html > >> > >> Thanks! > > > > I'll admit to not reviewing the code in detail, because I think the > > basic design is flawed. You shouldn't be storing the user's passwords > > directly in the database, it's generally considered a security risk. > > You should be storing only password hashes in the database, preferably > > salted per user. > > > > Personally, I think challenge questions are stupid. Most challenge > > questions are easily guessable with a little research. > > There was a paper from Microsoft research proving Jeremy's point. It > also replicated another results which was that 20% of people forget > their answers within 6 month. (Don't have the link handy, I think > you'll find the references by searching on Usability Security > Question). > > André > > -- > > You received this message because you are subscribed to the Google Groups > "sequel-talk" group. > To post to this group, send email to [email protected]. > For more options, visit this group at > http://groups.google.com/group/sequel-talk?hl=. > > > Jeremy/Andre', First thanks for the input. You're right of course, you shouldn't be storing the password unencrypted in the database. I was going for simplicity here and perhaps should have either a) made that clear or b) just done it right. To your's and Andre's second point on challenge questions, I'll not deny that they may be pointless, but I thought that since so many people use them, I'd figure it out and show them how. Andre', I'll look for the paper. The 20% figure does seem pretty reasonable. Anyway, thanks again to both of you for your input. -- Scott http://steamcode.blogspot.com/ -- You received this message because you are subscribed to the Google Groups "sequel-talk" group. To post to this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/sequel-talk?hl=.
