Sending user passwords in the clear

[eluser]Thorpe Obazee[/eluser]
With your flags and random string plus a secret question, it's much better

[eluser]Dregond Rahl[/eluser]
the only problem is when the user can't remember the answer to the question, the end result is sending the user the password anyways XD

Some people just shouldn't use the internet

[eluser]Thorpe Obazee[/eluser]
[quote author="Dregond Rahl" date="1242639719"]the only problem is when the user can't remember the answer to the question[/quote]

that's the time you tell them to call a toll-free number

[eluser]Xeoncross[/eluser]
That is the whole "forgotten password" setup. How it actually works is, 1) user enters username/email 2) system creates random key and key_time, 3) sends key to users email, 4) user clicks key and is sent back to site, 5) if user clicked key within key_time (15 mins?) then we confirm that this must be the user that owns the account and we now let them create a new password.

Optionally, a new password could also be created and emailed with 2) and when they click the link within the time limit that new password is activated (DX Auth).

Anyway, my site has something like this but I am still trying to figure out a way to avoid it by giving a hint in the registration email so that a user can just look back at that email without going though this trouble.

[eluser]Dam1an[/eluser]
If you want to make the whole random string thing more secure when dealing with forgotton passwords, send them the link with a 32 char unique string, then make them type in their email address as well to confirm... they can then choose a new password

The chance of someone 'guessing' a valid 32 character string in a given time period is unlikely enough, but to then have to match it to the email address is not far from uncrackable (the only way to crack that would be if you intercept the email, but thats true with all these methods)

[eluser]Xeoncross[/eluser]
Actually, I use 256bit SHA256 for my hashes. The infamous MD5 is the only common algorithm that creates 32 char hashes. Also, the email addition is pretty useless as intercepting the email is the only way to guess a 64 char hash that only lasts for 15 minutes.

But reset password features aside, what about the whole sending passwords or hints in a registration email? Any gotchas people have encountered?

[eluser]Xeoncross[/eluser]
Well, I think I'm going to go ahead and put this into my auth system for sites that don't have much security to worry about.

Code:

//Only tell them how long the password is (the clue)
print sprintf('Your password is %d characters long.', strlen($password));

// OR

// Show them how long it is and show the last character
print str_repeat("*", strlen($password) - 1). substr($password, -1);

Code:

Your password is 7 characters long

// OR

******d

So I guess the question is - how you would feel if a site sent this out in an email after you registered? %-P

[eluser]Thorpe Obazee[/eluser]
I'd be saying, "holy 5@*#!, I typed the wrong password!!!11".

I'd say it would be fine. much better than sending them in the open as plain text.