Subject:
|
Re: change password & lost password
|
Newsgroups:
|
lugnet.admin.suggestions
|
Date:
|
Sat, 13 Apr 2002 02:26:29 GMT
|
Viewed:
|
1657 times
|
| |
|
|
In lugnet.admin.suggestions, William R. Ward wrote:
> > PS. I agree that sending passwords in plaintext is bad, btw.
>
> In particular, sending the *existing* password is very bad. Many
> people (even though they shouldn't) use the same passwords for
> multiple web sites. If the LUGNET password is one of these, then
> they'd have to change their password for other sites as well.
of course, I agree with you. That's why (well, because Todd agrees with
this concept as well), when you get a password reset, you don't get your
old password sent to you, but a new randomly generated one, even the
admins don't know what it is.
> And anyway, the server shouldn't store the plaintext password at all -
> it should store a one-way encrypted (such as MD5) version. If someone
> hacked LUGNET, they'd have all these passwords. I guarantee at least
> one person has the same password for LUGNET and for other web sites,
> and that hacker could then use that information to get into those
> accounts.
not that having the passwords hashed will stop someone from getting the
original, mind you. But the passwords are stored hashed, and there is no
way to just "look up" what your password is. All I could do is get the
hash and try to brute force it... which in the case of MD5, might take
quite a while (weeks, sometimes, and more).
Dan
|
|
Message is in Reply To:
 | | Re: change password & lost password
|
| (...) Note that when I wrote that, I didn't know you *could* change the password on LUGNET. I had previously searched for a "change password" link without success. But the URL is only good for a limited time; if you want to have it send a password (...) (22 years ago, 13-Apr-02, to lugnet.admin.suggestions)
|
5 Messages in This Thread:
  
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
