On Sun, 2001-12-09 at 11:02, Chuck Esterbrook wrote:
> On Thursday 22 November 2001 07:13 pm, Mike Orr wrote:
> > For instance, the fallback challenge question is good for users who
> > frequent the site and have some level of commitment to it. It's less
> > good for occasional users who maybe ar
On Thursday 22 November 2001 07:13 pm, Mike Orr wrote:
> For instance, the fallback challenge question is good for users who
> frequent the site and have some level of commitment to it. It's less
> good for occasional users who maybe aren't sure about the site, to
> whom one more personal questio
On Thursday 22 November 2001 04:01 pm, Tavis Rudd wrote:
> There's ways around this that don't require storage of passwords in
> clear text. For example, a fall-back challenge question can be used
> in combination with an email address. The user forgets their
> password, clicks 'send me a remind
I wrote:
> >
> > They should absolutely *not* be stored as plain (clear?) text.
>
>Sorry, but that *is* a knee-jerk reaction.
The text you left out explained my reaction in terms of publicly accessible
Internet sites. I did also say that it would be advisible to allow any kind of
authenticatio
On Thursday 22 November 2001 19:13, Mike Orr wrote:
> OK, but let's keep in mind that the main feature of Webware is
> flexibility. We don't want to presume to know what the best
> password-storage and password-recovery mechanism is for all sites;
> instead, we want to provide alternative schemes
On Thu, Nov 22, 2001 at 04:01:42PM -0800, Tavis Rudd wrote:
> > If passwords are hashed, it's impossible
> > have an "I forgot my password; mail it to me" screen, because the
> > program cannot unhash the password. You can say, "Oooh, that's
> > unacceptable," but it all depends on what the passwo
As for the hashed non-hashed password question. The forgot my password
scenario in semi-secure systems is managed by "skill testing questions"
which can
then allow a new password to be generated and emailed to a stored email
address.
Then allow user to change to their password.
I tend to think ha
On Thursday 22 November 2001 13:40, Mike Orr wrote:
> On Thu, Nov 22, 2001 at 11:26:59AM -0800, Tavis Rudd wrote:
> > > >* How are password's stored internally? plain or hashed?
> > >
> > > They should absolutely *not* be stored as plain (clear?) text.
>
> Sorry, but that *is* a knee-jerk reaction
On Thu, Nov 22, 2001 at 11:26:59AM -0800, Tavis Rudd wrote:
> > >* How are password's stored internally? plain or hashed?
> >
> > They should absolutely *not* be stored as plain (clear?) text.
Sorry, but that *is* a knee-jerk reaction. There are tradeoffs both
ways, and it should be the app dev