----- Original Message ----- From: "Benjamin Pflugmann" <[EMAIL PROTECTED]> To: "Mike Hall" <[EMAIL PROTECTED]> Cc: "Michael Collins" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Sunday, August 11, 2002 7:05 PM Subject: Re: [OT] assigning new passwords (was: Need reversible encryption as string)
> On Sun 2002-08-11 at 17:30:46 +0100, [EMAIL PROTECTED] wrote: > > An easier (and more secure) way, surely, is to use one-way encryption... and > > if a user forgets his/her password, replace it with a random alphanumeric > > string and mail that to them instead with instructions to change it to one > > of their own choosing as soon as possible. > > Although I always liked this idea best security-wise, it can be abused > quite easily. Whenever someone enters some account, the password for > this account will be reset (and an email send). If the email works > fine, this is only a major annoyance. If the email of the account does > not work anymore, this is a DoS "service" for that account: The > password the account owner knew has been changed and he has no > possibility to retrieve the new one. How do you prevent this? The way I worked around this problem was to send two emails. When a reset password request is set in the database, I generate a confirmation hash and store that in the database. I then email a message to the user saying "someone has requested that your password be reset. if this was you click here [http://www.mywebsite.com/resetpass.php?user=2356&confirm=a8b767bb9cf0938dc7 f40603f33987e5]. When the user clicks on that link, it checks the confirm hash against the one I stored in the database. If they match, it clears the hash, resets the password and emails the user again informing him/her what the new password is. --Mike --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php