On Sunday 05 April 2009 05:39:37 pm Russell Keith-Magee wrote: > On Sun, Apr 5, 2009 at 6:12 AM, Joshua Partogi <joshua.j...@gmail.com> wrote: > > On Apr 4, 11:49 pm, Masklinn <maskl...@masklinn.net> wrote: > >> On 4 Apr 2009, at 15:38 , Joshua Partogi wrote: > >> > Dear all, > >> > > >> > I already take a look at the django.contrib.auth.models but could not > >> > find any methods for decrypting the user password. > >> > > >> > Sometimes we need to get the real text password to be sent to user. > >> > > >> > What is the best way to do this? Anybody has got an idea? > >> > > >> > Thank you very much in advance! > >> > >> Django's passwords are salted[1] and hashed[2]. You cannot[3] retrieve > >> them, and that's exactly the intent (well the intent is not that *you* > >> cannot retrieve them, it's that nobody else can). If you need to send > >> users their passwords, you have to generate new (random) passwords and > >> send them that. > >> > >> Masklinn > > > > Thanks for the explanation Masklinn. :-) > > > > I'll find another way to send user their password. > > Don't. Ever. Do. This. > > You should _never_ store passwords in cleartext, and you should > _never_ transmit passwords in cleartext. If you think I'm kidding, > read up on what happened to Reddit. > > http://blog.moertel.com/articles/2006/12/15/never-store-passwords-in-a-data >base > > Yours, > Russ Magee %-) >
I think that every web designer should read this, http://www.owasp.org/index.php/OWASP_AppSec_FAQ and to address this question specifically: http://www.owasp.org/index.php/OWASP_AppSec_FAQ#How_can_my_.22Forgot_Password.22_feature_be_exploited.3F and the following four questions and answers. In the end, it also says the same things as Russ does. Mike -- Arcserve crashed the server again.
signature.asc
Description: This is a digitally signed message part.