How do you verify that the person is indeed the person you think you're sending the password to?

There's no foolproof way of doing it if the user has forgotten the keys they need to authenticate with. Sending the new password to the email address the user registered with is good enough most of the time. Of course, if it were something like an online banking password, I'd get the customer to phone, maybe even have them go to their branch in person, and have a human authenticate them. (Let's not talk about how bad humans are at authenticating humans for now :-)

Do you change the password immediatly as someone made the request, or do you wait to verify that the request was valid by verifiying the user through some other means.

Depends on the circumstances. Most of the time, changing it immediately and notifying the customer by email is good enough. For some situations, you might want to email the customer to confirm that they want to reset their password.

(If the person was on your site as the password was reset, this could be a bad thing...)

Shouldn't matter, as no-one in their right mind would be sending the password across the wire with every HTTP transaction. They will instead have been given some token like a cookie to identify them for this session.

In reply to Re: Re: Re: Re: Ecrypting passwords by DrHyde
in thread Ecrypting passwords by SavannahLion

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.