in reply to Thanks!
in thread P@$$w0rd$ in perl?

Being able to recover a user's password would mean that there would need to be a "secret key" for the "right people" to be able to decrypt it. This opens yet another possible security hole. The preferred way of doing things is simply giving the "right people" the power to change any user's password. That way, if a user loses his/her password, they can have it reset to something known.

Most password-protected web pages out there evidently store the passwords in clear text, since they are able to mail it to you if you lose it. Although convenient, this is not necessarily secure. I think the best thing would be what comatose suggested, have the system generate a new random password and send it to the user. That way you don't have to store clear-text passwords.

Replies are listed 'Best First'.
RE: RE: Thanks!
by jbert (Priest) on Apr 25, 2000 at 19:23 UTC
    Heh. Unless you do on-the-fly brute forcing of the crypt'd password when a user requests to be email'd it. That would just about be feasible for crypt'd passwords.

    (Mostly a joke).

[reply]

In Section Seekers of Perl Wisdom