To LUGNET HomepageTo LUGNET News HomepageTo LUGNET Guide Homepage
 Help on Searching
 
Post new message to lugnet.admin.suggestionsOpen lugnet.admin.suggestions in your NNTP NewsreaderTo LUGNET News Traffic PageSign In (Members)
 Administrative / Suggestions / 118
117  |  119
Subject: 
 Re: change password & lost password
Newsgroups: 
 lugnet.admin.suggestions
Date: 
 Sat, 13 Apr 2002 01:28:08 GMT
Viewed: 
 1309 times
  
"Dan Boger" <dan@peeron.com> writes:

In lugnet.admin.suggestions, William R. Ward writes:
The "forgot my password" link should appear on the login page.  If you
click it, it should take you to a page where you can enter your member
number (if you forgot *that*, then maybe a way to search by e-mail
address or real name?).  The most secure method that I'm aware of
involves sending an e-mail to the user with a special URL that they
can then visit to enter a new password.  Once they have done so, that
special URL is no longer valid.  This way the password is never sent
in e-mail.

How is sending a URL better than sending a password?  I assume that once you
get a new password in the mail, the first thing you do is change it anyway,
right?  So what's the difference?

Note that when I wrote that, I didn't know you *could* change the
password on LUGNET.  I had previously searched for a "change password"
link without success.

But the URL is only good for a limited time; if you want to have it
send a password in e-mail, I would suggest that it make changing the
password mandatory immediately upon its first use.

PS.  I agree that sending passwords in plaintext is bad, btw.

In particular, sending the *existing* password is very bad.  Many
people (even though they shouldn't) use the same passwords for
multiple web sites.  If the LUGNET password is one of these, then
they'd have to change their password for other sites as well.

And anyway, the server shouldn't store the plaintext password at all -
it should store a one-way encrypted (such as MD5) version.  If someone
hacked LUGNET, they'd have all these passwords.  I guarantee at least
one person has the same password for LUGNET and for other web sites,
and that hacker could then use that information to get into those
accounts.

--Bill.

--
William R Ward            bill@wards.net          http://www.wards.net/~bill/
-----------------------------------------------------------------------------
     If you're not part of the solution, you're part of the precipitate.



Message has 1 Reply:
  Re: change password & lost password
 
(...) of course, I agree with you. That's why (well, because Todd agrees with this concept as well), when you get a password reset, you don't get your old password sent to you, but a new randomly generated one, even the admins don't know what it is. (...) (22 years ago, 13-Apr-02, to lugnet.admin.suggestions)

Message is in Reply To:
  Re: change password & lost password
 
(...) How is sending a URL better than sending a password? I assume that once you get a new password in the mail, the first thing you do is change it anyway, right? So what's the difference? Dan PS. I agree that sending passwords in plaintext is (...) (22 years ago, 12-Apr-02, to lugnet.admin.suggestions)

5 Messages in This Thread:


Entire Thread on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact

This Message and its Replies on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact
    
Custom Search

©2005 LUGNET. All rights reserved. - hosted by steinbruch.info GbR