On Thu, Jul 03, 2008 at 11:16:11AM +0100, Alan Burlison wrote: > Hugh McIntyre wrote: > > > Personally I hate sites that do this. Is there any chance of a "reset > > password and email the new value to the email address on record" policy > > instead, as several other sites use? > > I don't like it much myself, but mailing out passwords in cleartext is > horrendously insecure. And in any case, we don't store the passwords in > cleartext, they are hashed before they are stored. We can't mail them > out even if we wanted to.
Well, you could reset them to random value X, mail out X, then require
that they are changed immediately. Not saying that's any more secure,
just that it is possible.
Ceri
--
That must be wonderful! I don't understand it at all.
-- Moliere
pgpHUr2bTiPFZ.pgp
Description: PGP signature
_______________________________________________ website-discuss mailing list [email protected]
