A better solution would probably be to implement a form of challenge response authentication. (IE: Personal Question/Answer). This way, the attacker has to know the challenge response to even begin the password change transaction. Additionally, it is a security hole to email anyone their passwords in the clear. It is much better to make them view it over a secure connection (like ssl).
If someone's account password does get changed (ie: someone knows the challenge/response), then the user needs to get in contact with you and verify their account via other information. joe On Sun, 2002-08-11 at 11:13, Mike Hall wrote: > ----- Original Message ----- > From: "Benjamin Pflugmann" <[EMAIL PROTECTED]> > To: "Mike Hall" <[EMAIL PROTECTED]> > Cc: "Michael Collins" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Sunday, August 11, 2002 7:05 PM > Subject: Re: [OT] assigning new passwords (was: Need reversible encryption > as string) > > > On Sun 2002-08-11 at 17:30:46 +0100, [EMAIL PROTECTED] wrote: > > > An easier (and more secure) way, surely, is to use one-way encryption... > and > > > if a user forgets his/her password, replace it with a random > alphanumeric > > > string and mail that to them instead with instructions to change it to > one > > > of their own choosing as soon as possible. > > > > Although I always liked this idea best security-wise, it can be abused > > quite easily. Whenever someone enters some account, the password for > > this account will be reset (and an email send). If the email works > > fine, this is only a major annoyance. If the email of the account does > > not work anymore, this is a DoS "service" for that account: The > > password the account owner knew has been changed and he has no > > possibility to retrieve the new one. How do you prevent this? > > The way I worked around this problem was to send two emails. When a reset > password request is set in the database, I generate a confirmation hash and > store that in the database. I then email a message to the user saying > "someone has requested that your password be reset. if this was you click > here > [http://www.mywebsite.com/resetpass.php?user=2356&confirm=a8b767bb9cf0938dc7 > f40603f33987e5]. > > When the user clicks on that link, it checks the confirm hash against the > one I stored in the database. If they match, it clears the hash, resets the > password and emails the user again informing him/her what the new password > is. > > --Mike > > > --------------------------------------------------------------------- > Before posting, please check: > http://www.mysql.com/manual.php (the manual) > http://lists.mysql.com/ (the list archive) > > To request this thread, e-mail <[EMAIL PROTECTED]> > To unsubscribe, e-mail <[EMAIL PROTECTED]> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > > --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
