lcrocker@nupedia.com wrote:
(2) Change the feature to "email me a new password". Passwords will be encrypted, and when the user forgets his, the system will create a new random password and email _that_. The user will then log and change his password (hopefully to something he can remember).
Plaintext passwords won't exist anywhwere with options 1 or 2--this is the most secure.
The slashdot software does something similar to this. Here's something to think about.
Each account should have a field for 'password' (encrypted, of course) and 'new password' (encrypted, of course). When a new password is requested, it is sent out (unencrypted) and stored (encrypted) in the 'new password' field. But the old password can be untouched and still functional until the new password is used, at which time it is copied to the 'password' field.
The point of these steps is to prevent a certain kind of denial-of-service attack. If I don't like you, maybe I'll just sit here requesting a new password for you, over and over, thus forcing you to be logged out over and over.
But if the old password continues to work, then all the repeated requests do is barrage you with annoying email -- this email should identify the ip number of the person clicking on 'send a new password'.
--Jimbo