| Re: Most secure way to reset a password via email link [message #185166 is a reply to message #185164] |
Wed, 05 March 2014 21:47   |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 05/03/14 19:51, Denis McMahon wrote:
> On Wed, 05 Mar 2014 07:54:35 -0800, jvd_200089 wrote:
>
>> On Wednesday, 5 March 2014 15:35:30 UTC, The Natural Philosopher wrote:
>
>> Yes, email link will point to https:// but when using SSL what wrong
>> with just redisplaying the password on the screen
>
> FUCK THE HELL NO!
I never said that!!!
Please get the attributions right..
>
> The ability to display the old password implies that you're either
> storing it in the clear (this is worst possible practice) or using a
> reversible hashing method (this is the second worst possible practice).
>
> When a user sets a password, it should be one-way hashed[1], and the hash
> stored. When a user tries to log in, apply the same one way hashing
> function, and check the hash of the supplied password with the stored
> hash of the original password.
>
> Never ever ever ever store passwords in a manner that they can be
> recovered, because when your database gets hacked (and the whole world
> now knows you have a database of passwords waiting to be hacked that
> might be stored in the clear) all your customers passwords will be
> completely compromised almost immediately.
>
> [1] Hashing includes salting.
>
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]