pointed out it has a weakness. The email goes to a unique address, but
you can't gaurantee the recipient is the actual user. You need to
authenticate the person and not the address to take this a step further.
I use the same system Mauricio describes, but I add in a hint/answer
supplied by the user. User writes the question out him/herself, and
supplies the case-sensitive answer. In addition to the two password
fields on the change screen, the user has to answer the question
correctly (its up to the user to pick a q/a only they know and can
figure out... Another failure point but I can't see a way to strengthen
it).
When a user requests a new password, the admin gets an email (almost
always worthless, but on one occasion did alert me to a hack attempt).
If a user retries more than X times, I lock them out for the duration of
their session. Keeps out automated attacks and resets itself so the
admin doesn't get bothered too much.
I never send passwords. If a user fails the self-service system then I
tell them to run the change password routine. If they forget their
hint/answer and can be real-world authenticated then I wipe the
hint/answer and then make them change their password via the automated
system, which upon seeing no hint/answer will demand a new one.
The hint is encrypted, the answer is a salted hash.
Salted hash: Do the passwords like that as well. Adding salt prevents
two hashes from being unique no matter what, and kills dictionary
attacks (I still run proposed passwords thru a dictionary filter, just
to be mean).
Google 'salted hash' and read the MSDN Security Brief that should be the
#2 response. In addition to explaining the concept it has some
excellent free word-list dictionary sources in it, in mnay languages.
--------------------------------------------
Matt Robertson [EMAIL PROTECTED]
MSB Designs, Inc. http://mysecretbase.com
--------------------------------------------
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
