2009/11/18 Jeremy Evans <[email protected]>: > On Nov 18, 6:57 am, Scott LaBounty <[email protected]> wrote: >> All, >> >> I've just put up another post Ramaze / Sequel. This one talks about letting >> a user know their password if they forget. Let me know if you find any >> issues. >> >> http://steamcode.blogspot.com/2009/11/forgot-password.html >> >> Thanks! > > I'll admit to not reviewing the code in detail, because I think the > basic design is flawed. You shouldn't be storing the user's passwords > directly in the database, it's generally considered a security risk. > You should be storing only password hashes in the database, preferably > salted per user. > > Personally, I think challenge questions are stupid. Most challenge > questions are easily guessable with a little research.
There was a paper from Microsoft research proving Jeremy's point. It also replicated another results which was that 20% of people forget their answers within 6 month. (Don't have the link handy, I think you'll find the references by searching on Usability Security Question). André -- You received this message because you are subscribed to the Google Groups "sequel-talk" group. To post to this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/sequel-talk?hl=.
