...

View Full Version : password by email



rafiki
03-20-2007, 04:19 AM
question....
if i sha1()'s my passwords before entering into database...
how can i send passwords by email if i cant de-sha1() them?

Nightfire
03-20-2007, 04:54 AM
You send a new random password, or get them to answer a secret question or 2. For complete security, never send a password, the latter is the best way. If it's a 'normal' non-personal system - ie no bank details involved, then send a new password via email

rafiki
03-20-2007, 04:58 AM
your sig =
Please do not add me to MSN in the hopes of me doing projects/code for you for free. If you have coding problems, use the forums. Thanks <<< refering to me?

You send a new random password, or get them to answer a secret question or 2. For complete security, never send a password, the latter is the best way. If it's a 'normal' non-personal system - ie no bank details involved, then send a new password via emailwhats the difference if they forgot there email? if its someone else asking for the new password it wont make a difference if they can read the email? but i guess the difference is easiness
so you make a random password
the same way you make a captcha string then modify the database if successfull you email them the random password?

Nightfire
03-20-2007, 12:56 PM
Referring to everyone.

Reasons why you shouldn't send passwords via email is that email isn't that secure. There are ways for emails to be read while they're being sent from a server, but I am unsure how it's done. It's why you'll never get an email with your password sent to you by your bank.

You make a random password, if you're doing it by email then send the unhashed version to them, store the hashed version in the db. Once they login with that password, take them to a change password screen so if they do keep the email with the password you sent, it'll no longer work as they've got a new one

timgolding
03-20-2007, 01:34 PM
E-mail can be sniffed in many alternative ways. It passes through corporate firewalls, which may monitor the traffic. It often gets logged and saved for extended periods of time. It may get accidentally misdirected, and end up in somebody else's mailbox. The best way to keep such e-mail secret is to encrypt it. GnUPG is an example.

rafiki
03-21-2007, 12:20 AM
what is GnUGP @ timgolding?

Nightfire
03-21-2007, 12:26 AM
http://en.wikipedia.org/wiki/GNU_Privacy_Guard can describe it better than me.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum