List:General Discussion« Previous MessageNext Message »
From:Joe Shear Date:August 12 2002 6:18pm
Subject:Re: [OT] assigning new passwords (was: Need reversible encryption
as string)
View as plain text  
A better solution would probably be to implement a form of challenge
response authentication.  (IE: Personal Question/Answer).  This way, the
attacker has to know the challenge response to even begin the password
change transaction.  Additionally, it is a security hole to email anyone
their passwords in the clear.  It is much better to make them view it
over a secure connection (like ssl).  

If someone's account password does get changed (ie: someone knows the
challenge/response), then the user needs to get in contact with you and
verify their account via other information.  

joe

On Sun, 2002-08-11 at 11:13, Mike Hall wrote:
> ----- Original Message -----
> From: "Benjamin Pflugmann" <benjamin-mysql@stripped>
> To: "Mike Hall" <mike.hall@stripped>
> Cc: "Michael Collins" <mcollins@stripped>; <mysql@stripped>
> Sent: Sunday, August 11, 2002 7:05 PM
> Subject: Re: [OT] assigning new passwords (was: Need reversible encryption
> as string)
> 
> > On Sun 2002-08-11 at 17:30:46 +0100, mike.hall@stripped wrote:
> > > An easier (and more secure) way, surely, is to use one-way encryption...
> and
> > > if a user forgets his/her password, replace it with a random
> alphanumeric
> > > string and mail that to them instead with instructions to change it to
> one
> > > of their own choosing as soon as possible.
> >
> > Although I always liked this idea best security-wise, it can be abused
> > quite easily. Whenever someone enters some account, the password for
> > this account will be reset (and an email send). If the email works
> > fine, this is only a major annoyance. If the email of the account does
> > not work anymore, this is a DoS "service" for that account: The
> > password the account owner knew has been changed and he has no
> > possibility to retrieve the new one. How do you prevent this?
> 
> The way I worked around this problem was to send two emails. When a reset
> password request is set in the database, I generate a confirmation hash and
> store that in the database. I then email a message to the user saying
> "someone has requested that your password be reset. if this was you click
> here
> [http://www.mywebsite.com/resetpass.php?user=2356&confirm=a8b767bb9cf0938dc7
> f40603f33987e5].
> 
> When the user clicks on that link, it checks the confirm hash against the
> one I stored in the database. If they match, it clears the hash, resets the
> password and emails the user again informing him/her what the new password
> is.
> 
> --Mike
> 
> 
> ---------------------------------------------------------------------
> Before posting, please check:
>    http://www.mysql.com/manual.php   (the manual)
>    http://lists.mysql.com/           (the list archive)
> 
> To request this thread, e-mail <mysql-thread116825@stripped>
> To unsubscribe, e-mail <mysql-unsubscribe-joe=plaxo.com@stripped>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
> 
> 


Thread
Need reversible encryption as stringMichael Collins11 Aug
  • Re: Need reversible encryption as stringMike Hall11 Aug
    • Re: Need reversible encryption as stringMichael Collins11 Aug
    • Re: [OT] assigning new passwords (was: Need reversible encryption as string)Benjamin Pflugmann11 Aug
  • Re: Need reversible encryption as stringPaul DuBois11 Aug
    • Re: Need reversible encryption as stringBenjamin Pflugmann11 Aug
      • Re: Need reversible encryption as stringPaul DuBois11 Aug
  • Re: [OT] assigning new passwords (was: Need reversible encryption as string)Mike Hall11 Aug
    • Re: [OT] assigning new passwords (was: Need reversible encryptionas string)Joe Shear12 Aug
Re: Need reversible encryption as stringMichael Collins11 Aug