Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Senior Coder nikos101's Avatar
    Join Date
    Dec 2006
    Location
    London
    Posts
    1,005
    Thanks
    58
    Thanked 10 Times in 10 Posts

    Exclamation Forgotten password security

    What would be the security advantage in sending an email with a link to click on to request a new password over just sending them an email with their password upon submitting a form with their email address?


  • #2
    Supreme Overlord Spookster's Avatar
    Join Date
    May 2002
    Location
    Marion, IA USA
    Posts
    6,278
    Thanks
    4
    Thanked 83 Times in 82 Posts
    You want to minimize exposure to the password. Sending it through an email in plain view could allow it to be seen bu others in physical line of sight as well as others who might intercept or gain access to the emails besides the owner of that email. Then you might ask if they can intercept or gain access to the email then why would sending a link be any better. The link you send should only allow access once and should expire after a short amount of time if not clicked on. Sending a password in an email will still be visible in the email unless they delete it completely and that password will still give them access unless of course it was a temporary password and you require them to change it upon logging in.
    Spookster
    CodingForums Supreme Overlord
    All Hail Spookster

  • Users who have thanked Spookster for this post:

    nikos101 (03-11-2008)

  • #3
    Senior Coder nikos101's Avatar
    Join Date
    Dec 2006
    Location
    London
    Posts
    1,005
    Thanks
    58
    Thanked 10 Times in 10 Posts
    Always a pleasure Spookster!!

    Thats added to my arsenal of knowledge


  • #4
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    You shouldn't be storing their password in clear test in your database anyways. You should be storing the hash of their password. Popular hashes are MD5 or SHA1. And of course if you are doing that you can't send them their original password back to them.

    Then if they forget the password, you can do what Spookster suggested and send them a link.
    OracleGuy

  • #5
    Senior Coder nikos101's Avatar
    Join Date
    Dec 2006
    Location
    London
    Posts
    1,005
    Thanks
    58
    Thanked 10 Times in 10 Posts
    Yeah thats what I'm doing the now thanks.



  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •