On Thu, Nov 22, 2001 at 04:01:42PM -0800, Tavis Rudd wrote: > > If passwords are hashed, it's impossible > > have an "I forgot my password; mail it to me" screen, because the > > program cannot unhash the password. You can say, "Oooh, that's > > unacceptable," but it all depends on what the password grants > > access to. If it's to my bank account, it better be hasned and > > behind 128-bit https: . But if it's just to post to a forum or > > edit an online profile/resume, maybe it doesn't matter that much > > and it's more important to provide convenience instead. > > There's ways around this that don't require storage of passwords in > clear text. For example, a fall-back challenge question can be used > in combination with an email address. The user forgets their > password, clicks 'send me a reminder', the server sends an email > with a randomized URI the user can go to for the next 30 minutes and > change their password. Once they go to the URI they must answer the > challenge question correctly before changing their password. The > response to the challenge question would also be hashed. The > password change would only truly be secure if it was encrypted via > SSL, but you could use the javascript implementation md5 to send a > hash of the new password instead of clear text when SSL is not > available.
OK, but let's keep in mind that the main feature of Webware is flexibility. We don't want to presume to know what the best password-storage and password-recovery mechanism is for all sites; instead, we want to provide alternative schemes the appadmin can plug in or override as necessary. For instance, the fallback challenge question is good for users who frequent the site and have some level of commitment to it. It's less good for occasional users who maybe aren't sure about the site, to whom one more personal question may be too many (like I was about Yahoo's birthdate question), or who aren't thrilled about memorizing yet another piece of information (who did I say my favorite sports hero is, and how did I spell it?) -- -Mike (Iron) Orr, [EMAIL PROTECTED] (if mail problems: [EMAIL PROTECTED]) http://iron.cx/ English * Esperanto * Russkiy * Deutsch * Espan~ol _______________________________________________ Webware-discuss mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-discuss
