in reply to Plaintext passwords?
in thread We blame tye.
The way I typically handle it is to.
- store them crypted
- require that the login page be accessed via SSL
- forgotten password is reset and emailed ONLY to the email address stored in the database for the provided user id. This doesn't prevent a malicious person from resetting someone else's password, BUT the person who receives the email saying what the new (randomly generated) password is, is the valid user.
/\/\averick
perl -l -e "eval pack('h*','072796e6470272f2c5f2c5166756279636b672');"
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: Re: Plaintext passwords?
by no_slogan (Deacon) on Mar 23, 2002 at 17:16 UTC | |
Re: Re: Plaintext passwords?
by Anonymous Monk on Mar 26, 2002 at 03:22 UTC |
In Section
Perl Monks Discussion