On Thursday 22 November 2001 04:01 pm, Tavis Rudd wrote: > There's ways around this that don't require storage of passwords in > clear text. �For example, a fall-back challenge question can be used > in combination with an email address. �The user forgets their > password, clicks 'send me a reminder', the server sends an email > with a randomized URI the user can go to for the next 30 minutes and > change their password. �Once they go to the URI they must answer the > challenge question correctly before changing their password. �The > response to the challenge question would also be hashed. �The > password change would only truly be secure if it was encrypted via > SSL, but you could use the javascript implementation md5 to send a > hash of the new password instead of clear text when SSL is not > available.
While those are all interesting solutions, we still shouldn't preclude a web site developer from mailing the user their password. That is still more convenient to the user that the above solutions and for many sites, the most basic security is all that is required. -Chuck _______________________________________________ Webware-discuss mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-discuss
