Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling

Re: Plaintext passwords?

by maverick (Curate)
on Mar 22, 2002 at 20:43 UTC ( #153643=note: print w/replies, xml ) Need Help??

in reply to Plaintext passwords?
in thread We blame tye.

The way I typically handle it is to.
  • store them crypted
  • require that the login page be accessed via SSL
  • forgotten password is reset and emailed ONLY to the email address stored in the database for the provided user id. This doesn't prevent a malicious person from resetting someone else's password, BUT the person who receives the email saying what the new (randomly generated) password is, is the valid user.

perl -l -e "eval pack('h*','072796e6470272f2c5f2c5166756279636b672');"

Replies are listed 'Best First'.
Re: Re: Plaintext passwords?
by no_slogan (Deacon) on Mar 23, 2002 at 17:16 UTC
    That all sounds good. I assume that once someone logs in successfully via SSL, you send them a cookie, and they continue using that over an unsecured connection? In that case, the cookie essentially becomes the user's password. Do you have a good solution for preventing the bad guys from capturing and reusing that cookie?
Re: Re: Plaintext passwords?
by Anonymous Monk on Mar 26, 2002 at 03:22 UTC

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://153643]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (4)
As of 2023-03-22 07:27 GMT
Find Nodes?
    Voting Booth?
    Which type of climate do you prefer to live in?

    Results (60 votes). Check out past polls.