| Sending user passwords in the clear |
[eluser]Xeoncross[/eluser]
Sending a users password via email makes the "remember me" function look like Fort Knox. Now that we have that out of the way... I have a very low-security site, that I want to make sure is easy for people to use. There is no user financial information or anything other than a zip code and email. So I am not worried about an attacker gaining access to anyone's account but mine. Anyway, some sites still send a copy of the username, CLEAR TEXT PASS, & email they used when registering. This is helpful for people as they can just look back through their email for the information if they forget how to login. It saves a whole bunch of "forgot password?" steps for the user. Anyway, I just can't stand even simple sites sending this data so I thought that maybe I can make a change that says something like. Code: username: bob44Which seems like it should give enough information to jog the users memory. This seems to work or be acceptable when it comes to Credit Card information anyway. I don't know, any thoughts?
[eluser]depthcharge[/eluser]
If you are storing your passwords plain text in your database, or using a 2 way encryption (I would not do this personally myself) then i think that is a cool idea, some kind of function to take a random character/s and display as you stated: Code: Your Username: GordonBrownOr something similar. But I much prefer the reset password routine, rather than any kind of request password feature.
[eluser]Xeoncross[/eluser]
I would never store encrypted passwords, much less plain text, in my database. I hope no-one else would either. I meant that upon first registering I send a "confirmation" email with this user data. Many sites seem to do this so that the user is A) reminded of their new account and B) has a copy of their username/email and optionally password in case they forget tomorrow when they try to login for the second time. And of course I also provide a complete "forgot password?" setup for people that still can't remember (or delete the email).
[eluser]Dregond Rahl[/eluser]
i think the better way would be to add a token to the database for lost passwords, when a user requests it, its added, and say something like this is sent to the email in the DB Lost your password? okie fine fine, go here : http://domain.com/lostpassword/E6hD5Km9 (randomly generated string) that page has a new password and confirm password field.
[eluser]Thorpe Obazee[/eluser]
[quote author="Dregond Rahl" date="1242634729"]i think the better way would be to add a token to the database for lost passwords, when a user requests it, its added, and say something like this is sent to the email in the DB Lost your password? okie fine fine, go here : http://domain.com/lostpassword/E6hD5Km9 (randomly generated string) that page has a new password and confirm password field.[/quote] but doesn't that present a security issue, someone could manually type in (guess) generated strings?
[eluser]Dregond Rahl[/eluser]
not if its truly random and hashed with a salt, then its no different then a password itself.
[eluser]Thorpe Obazee[/eluser]
I still feel that it's not secure. You could probably add something to confirm that they are actually the person intended to view that page?
[eluser]Dregond Rahl[/eluser]
Could create a field in the DB to act like a flag, if a user requests for a lost password, the account is flagged, so then the lost password token is activated, if it isn't flagged it won't work even if you get the right one. After password is changed, the token changes and the account is unflagged.
[eluser]Thorpe Obazee[/eluser]
[quote author="Dregond Rahl" date="1242638478"]Could create a field in the DB to act like a flag, if a user requests for a lost password, the account is flagged, so then the lost password token is activated, if it isn't flagged it won't work even if you get the right one. After password is changed, the token changes and the account is unflagged.[/quote] I don't know but isn't that the same thing? Anyway, what I mean is that the page should ask for something 'personal' or 'secret' like a secret question thats' meant to be answered by the user on that page. what do you think?
[eluser]Dregond Rahl[/eluser]
That would work, but its often noted that asking secret question could be insecure. But in this system it would work out =] |
| Welcome Guest, Not a member yet? Register Sign In |
MENU
EXTRA MENU
ABOUT US
CodeIgniter is a powerful PHP framework with a very small footprint, built for developers who need a simple and elegant toolkit to create full-featured web applications.
