MySQL Lists are EOL. Please join:

List:General Discussion« Previous MessageNext Message »
From:Mike Hall Date:August 11 2002 6:13pm
Subject:Re: [OT] assigning new passwords (was: Need reversible encryption as string)
View as plain text  
----- Original Message -----
From: "Benjamin Pflugmann" <benjamin-mysql@stripped>
To: "Mike Hall" <mike.hall@stripped>
Cc: "Michael Collins" <mcollins@stripped>; <mysql@stripped>
Sent: Sunday, August 11, 2002 7:05 PM
Subject: Re: [OT] assigning new passwords (was: Need reversible encryption
as string)

> On Sun 2002-08-11 at 17:30:46 +0100, mike.hall@stripped wrote:
> > An easier (and more secure) way, surely, is to use one-way encryption...
and
> > if a user forgets his/her password, replace it with a random
alphanumeric
> > string and mail that to them instead with instructions to change it to
one
> > of their own choosing as soon as possible.
>
> Although I always liked this idea best security-wise, it can be abused
> quite easily. Whenever someone enters some account, the password for
> this account will be reset (and an email send). If the email works
> fine, this is only a major annoyance. If the email of the account does
> not work anymore, this is a DoS "service" for that account: The
> password the account owner knew has been changed and he has no
> possibility to retrieve the new one. How do you prevent this?

The way I worked around this problem was to send two emails. When a reset
password request is set in the database, I generate a confirmation hash and
store that in the database. I then email a message to the user saying
"someone has requested that your password be reset. if this was you click
here
[http://www.mywebsite.com/resetpass.php?user=2356&confirm=a8b767bb9cf0938dc7
f40603f33987e5].

When the user clicks on that link, it checks the confirm hash against the
one I stored in the database. If they match, it clears the hash, resets the
password and emails the user again informing him/her what the new password
is.

--Mike

Thread
Need reversible encryption as stringMichael Collins11 Aug
  • Re: Need reversible encryption as stringMike Hall11 Aug
    • Re: Need reversible encryption as stringMichael Collins11 Aug
    • Re: [OT] assigning new passwords (was: Need reversible encryption as string)Benjamin Pflugmann11 Aug
  • Re: Need reversible encryption as stringPaul DuBois11 Aug
    • Re: Need reversible encryption as stringBenjamin Pflugmann11 Aug
      • Re: Need reversible encryption as stringPaul DuBois11 Aug
  • Re: [OT] assigning new passwords (was: Need reversible encryption as string)Mike Hall11 Aug
    • Re: [OT] assigning new passwords (was: Need reversible encryptionas string)Joe Shear12 Aug
Re: Need reversible encryption as stringMichael Collins11 Aug