Hi.
I drag this a bit to off-topic here, but the answer below brings up a
question which bothered me for some time...
On Sun 2002-08-11 at 17:30:46 +0100, [EMAIL PROTECTED] wrote:
> An easier (and more secure) way, surely, is to use one-way encryption... and
> if a user forgets his/her password, replace it with a random alphanumeric
> string and mail that to them instead with instructions to change it to one
> of their own choosing as soon as possible.
Although I always liked this idea best security-wise, it can be abused
quite easily. Whenever someone enters some account, the password for
this account will be reset (and an email send). If the email works
fine, this is only a major annoyance. If the email of the account does
not work anymore, this is a DoS "service" for that account: The
password the account owner knew has been changed and he has no
possibility to retrieve the new one. How do you prevent this?
My current solution works with the old password. Surely this has it's
drawbacks security-wise, but it can only be abused to send these
e-mails to people, for which a limit is realized.
So back to my question above. With the good-security solution, how can
I prevent the abuse mentioned?
Bye,
Benjamin.
--
[EMAIL PROTECTED]
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
