I am simply attempting to protect my users from their own ignorance or dangerous habits. Your example is only further proof that what I described is a real problem. I'm certainly not attempting or claiming to attempt to prevent this from occuring, but I don't want any of my websites to contribute to this problem or more importantly, be the source from which nefarious persons gained access to one of my user's much more "valuable" accounts (banking, bill paying, etc).
Storing the passwords encrypted is one way (particularly hashed, so that even the developers, etc. can't access the passwords) is one way to protect your users. Another is by never sending their passwords in clear text. > > I want to be sure that I never, ever, ever, send a user's password to them > > in clear text email. This is important because as many websites as people > > log into they do not always a different password to each one. Their > > password on my site could be the same as their password on their personal > > banking website. Dumb, but frequent. > > > I think your reasoning here is a little flawed. This is an end user > problem, and not sending passwords in a plain text email protects only > against a fraction of the ways this mistake can be exploited. > > I inheritted a site not long ago where the developer stored passwords in > plain text. I noticed that many of the users accounts on the site had > Yahoo and Hotmail email addresses. So just for grins, I went to Yahoo's > webmail Hotmail and tried logging in using those email addresses and > stored password. Probably 1/4 to 1/2 of them worked. > > Imagine how easy it would be for an unscrupulous web site owner or web > developer to collect passwords? The only way around this is to generate > all passwords and not permit users to set their own. > > Jim > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
