Re: Plaintext passwords?

by maverick (Curate)

on Mar 22, 2002 at 20:43 UTC ( #153643=note: print w/replies, xml )

Need Help??

The way I typically handle it is to.

store them crypted
require that the login page be accessed via SSL
forgotten password is reset and emailed ONLY to the email address stored in the database for the provided user id. This doesn't prevent a malicious person from resetting someone else's password, BUT the person who receives the email saying what the new (randomly generated) password is, is the valid user.

/\/\averick
perl -l -e "eval pack('h*','072796e6470272f2c5f2c5166756279636b672');"

Comment on Re: Plaintext passwords?

Replies are listed 'Best First'.
Re: Re: Plaintext passwords? by no_slogan (Deacon) on Mar 23, 2002 at 17:16 UTC
That all sounds good. I assume that once someone logs in successfully via SSL, you send them a cookie, and they continue using that over an unsecured connection? In that case, the cookie essentially becomes the user's password. Do you have a good solution for preventing the bad guys from capturing and reusing that cookie?	[reply]
Re: Re: Plaintext passwords? by Anonymous Monk on Mar 26, 2002 at 03:22 UTC
Me rikey.	[reply]

Domain Nodelet^?

Node Status^?

node history
Node Type: note [id://153643]
help

Chatterbox^?

How do I use this? | Other CB clients

Other Users^?

Others lurking in the Monastery: (4)

As of 2023-03-22 07:27 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Voting Booth^?

Notices^?