On Mon, February 19, 2007 5:12 am, Fergus Gibson wrote: >> 4) if user forget his or her password, you can send email to the >> user when >> the user answer password protected question. > > Kinda impossible if the password is hashed, isn't it? What a strange > thought, though. I guess all those sites with password reminder > functions have the password stored in plain text somewhere.
Yes. And email is inherently insecure medium, unless you have exchanged off-line key pairs or something and the user has the skill to install crypted email software packages. Even the sites that generate a new random password to email to you risk the email being inspected in transit, even if the password in the db is not plain text anywhere at all. You need at least 3 passwords to surf the web, really. #1. Real password for like, online banking, where you're pretty sure they have security "right" (well, the odds are good anyway) #2. Second level real password for, like, personal info sites, or "important" private data. #3. Useless throw-away password for stupid sites you don't really care about that require a password. You might even want a #1a for online shopping where you would HOPE the online store did it right, but don't want to risk the password that unlocks your bank account, just in case they are one of the ones that got it very very very wrong. Something like eBay or Amazon or PayPal, if you use them frequently, might warrant yet another good password. Now if I could just remember which EMAIL or USERNAME I used for each site, I'd be all set... :-( -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
