RE: Passwod recovery strategies
If they forgot their user name, then they have other problems because that is their Windows domain login as well as the first part of their E-mail address. (Company Intranet) Our helpdesk (which is available during all business hours) is equipped to supply a user with their user name if it is forgotten. The password is of course hashed, so no one can get to it... well maybe with a rainbow table. :) ~Brad -Original Message- From: Claude Schneegans [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 15, 2008 7:49 PM To: CF-Talk Subject: Re: Passwod recovery strategies * User clicks forgot my password link * They enter their user name and e-mail address What if he forgot his user name? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303559 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Passwod recovery strategies
Yes, rainbow tables or a TON of extra time and processing power would be the solution(s) but that's much more involved (or at least time consuming) than brute force these days so definitely stick with your hashes. The method I described could just as easily be done with usernames OR email addresses by the way. ..:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com http://cf4em.com -Original Message- From: Brad Wood [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 16, 2008 10:18 AM To: CF-Talk Subject: RE: Passwod recovery strategies If they forgot their user name, then they have other problems because that is their Windows domain login as well as the first part of their E-mail address. (Company Intranet) Our helpdesk (which is available during all business hours) is equipped to supply a user with their user name if it is forgotten. The password is of course hashed, so no one can get to it... well maybe with a rainbow table. :) ~Brad -Original Message- From: Claude Schneegans [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 15, 2008 7:49 PM To: CF-Talk Subject: Re: Passwod recovery strategies * User clicks forgot my password link * They enter their user name and e-mail address What if he forgot his user name? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303563 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Passwod recovery strategies
I'm exploring some of the ways that we can implement password recovery. Passwords are stored as hashed values in a database. Some systems I've used will immediately reset the password, some send a message that when a link is followed resets the password. Some send the new password out in plaintext, some requre changing that password immediately, some let you use the randomly generated password indefinitely. Ideas, pros and cons of different approaches? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303503 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Passwod recovery strategies
Our system does the following: * User clicks forgot my password link * They enter their user name and e-mail address * If that user name exists in the database WITH that e-mail address an e-mail is sent to that e-mail address with a link that is valid for 24 hours. * If/when the link is clicked the password is reset and the user is asked to change it immediately. The link contains the id of the user AND a random string which is stored on the server to verify that the link came from the E-mail. This way people can reset their own passwords and ONLY their own, because if they try to reset someone else's password, then they won't be able to get the link in the E-mail. The password is only reset if the link is clicked. Also there is no record of their password in their inbox and they are required to change it anyway. ~Brad -Original Message- From: Jim McAtee [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 15, 2008 5:02 PM To: CF-Talk Subject: Passwod recovery strategies I'm exploring some of the ways that we can implement password recovery. Passwords are stored as hashed values in a database. Some systems I've used will immediately reset the password, some send a message that when a link is followed resets the password. Some send the new password out in plaintext, some requre changing that password immediately, some let you use the randomly generated password indefinitely. Ideas, pros and cons of different approaches? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303506 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Passwod recovery strategies
We take a similar approach. I guess to expand on his explination, we a have a separate field in the users table that contains a UUID, generated at the time the request for a new password is made. The link thats gets sent out doesn't include the UserID, just the UUID. Then, when the password is reset, the UUID field is set back to NULL. We also have a 24 hr window in which to get the thing reset. Hope this helps! Ryan Brad Wood wrote: Our system does the following: * User clicks forgot my password link * They enter their user name and e-mail address * If that user name exists in the database WITH that e-mail address an e-mail is sent to that e-mail address with a link that is valid for 24 hours. * If/when the link is clicked the password is reset and the user is asked to change it immediately. The link contains the id of the user AND a random string which is stored on the server to verify that the link came from the E-mail. This way people can reset their own passwords and ONLY their own, because if they try to reset someone else's password, then they won't be able to get the link in the E-mail. The password is only reset if the link is clicked. Also there is no record of their password in their inbox and they are required to change it anyway. ~Brad -Original Message- From: Jim McAtee [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 15, 2008 5:02 PM To: CF-Talk Subject: Passwod recovery strategies I'm exploring some of the ways that we can implement password recovery. Passwords are stored as hashed values in a database. Some systems I've used will immediately reset the password, some send a message that when a link is followed resets the password. Some send the new password out in plaintext, some requre changing that password immediately, some let you use the randomly generated password indefinitely. Ideas, pros and cons of different approaches? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303511 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Passwod recovery strategies
Well you can scratch any of those options that involve sending the user the password in plain text... you don't know it. In CF4em, I've stored all passwords as hashes as well and the only option is to reset the password. The steps I take to do so are this... Each user record has a 'resetPasswordKey' field. When a user forgets their password, they enter their email address, the system finds the record, generates a key with createUUID() and sets that to the 'resetPasswordKey' field and emails a link to the password reset form with the key appended to the URL. Once you get to the form, it matches the record again but this time by the resetPasswordKey. If it finds the record, the form asks for the new password, hashes it and updates the database with the new password hash and sets the resetPasswordKey field to NULL again. You can download CF4em at http://cf4em.com if you want to see the actual code. ..:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com http://cf4em.com -Original Message- From: Jim McAtee [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 15, 2008 6:02 PM To: CF-Talk Subject: Passwod recovery strategies I'm exploring some of the ways that we can implement password recovery. Passwords are stored as hashed values in a database. Some systems I've used will immediately reset the password, some send a message that when a link is followed resets the password. Some send the new password out in plaintext, some requre changing that password immediately, some let you use the randomly generated password indefinitely. Ideas, pros and cons of different approaches? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303526 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Passwod recovery strategies
* User clicks forgot my password link * They enter their user name and e-mail address What if he forgot his user name? -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303536 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Passwod recovery strategies
Then ask for his email address or any other piece of identification you have. But make sure to send it to the email on record no matter what and have the user who gets that email click a link which authorizes the change of password. Claude Schneegans wrote: * User clicks forgot my password link * They enter their user name and e-mail address What if he forgot his user name? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303537 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Passwod recovery strategies
But make sure to send it to the email on record That was my point. Just ask for the email he used to register, and send him his code and password, period. have the user who gets that email click a link which authorizes the change of password. What for? If anyone gets the message illegitimately, he will click on that link illegitimately as well. The simplest it is for users, the better it is. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303546 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
