On Nov 30, 2:34 pm, Scott LaBounty <[email protected]> wrote: > I received some rather "stern" comments after my last post on what should > happen when a user forgets their password. Here's a new one ... > > http://steamcode.blogspot.com/2009/11/ramaze-forgot-password-ii.html > > that will hopefully get close to what everyone thinks should happen. Let me > know what you think. > > Thanks for the comments.
Looks better, but I recommend a few more changes: 1) You need to salt your password hashes. Unsalted hashes are better than storing the password in plaintext, but most common hash algorithms probably already have large rainbow tables that will allow an easy lookup of most passwords given an unsalted hash. 2) I would recommend at least including random data when generating the random key for password resets. Your use of the username and Time.now makes it guessable if you know roughly when the user requested/will request a password change. encrypt_password is a poorly named method, since you are hashing, not encrypting (encrypting implies the possibility of decrypting, while hashing is one way). 3) I generally put a time limit on password resets. That way if someone requests one, but then remembers their password and doesn't change it, they are not vulnerable to someone else changing it next year. Jeremy -- You received this message because you are subscribed to the Google Groups "sequel-talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/sequel-talk?hl=en.
