Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    Senior Coder rafiki's Avatar
    Join Date
    Aug 2006
    Location
    Floating around somewhere...
    Posts
    2,046
    Thanks
    19
    Thanked 42 Times in 42 Posts

    password by email

    question....
    if i sha1()'s my passwords before entering into database...
    how can i send passwords by email if i cant de-sha1() them?

  • #2
    Senior Coder Nightfire's Avatar
    Join Date
    Jun 2002
    Posts
    4,265
    Thanks
    6
    Thanked 48 Times in 48 Posts
    You send a new random password, or get them to answer a secret question or 2. For complete security, never send a password, the latter is the best way. If it's a 'normal' non-personal system - ie no bank details involved, then send a new password via email

  • #3
    Senior Coder rafiki's Avatar
    Join Date
    Aug 2006
    Location
    Floating around somewhere...
    Posts
    2,046
    Thanks
    19
    Thanked 42 Times in 42 Posts
    your sig =
    Please do not add me to MSN in the hopes of me doing projects/code for you for free. If you have coding problems, use the forums. Thanks <<< refering to me?
    Quote Originally Posted by Nightfire View Post
    You send a new random password, or get them to answer a secret question or 2. For complete security, never send a password, the latter is the best way. If it's a 'normal' non-personal system - ie no bank details involved, then send a new password via email
    whats the difference if they forgot there email? if its someone else asking for the new password it wont make a difference if they can read the email? but i guess the difference is easiness
    so you make a random password
    the same way you make a captcha string then modify the database if successfull you email them the random password?

  • #4
    Senior Coder Nightfire's Avatar
    Join Date
    Jun 2002
    Posts
    4,265
    Thanks
    6
    Thanked 48 Times in 48 Posts
    Referring to everyone.

    Reasons why you shouldn't send passwords via email is that email isn't that secure. There are ways for emails to be read while they're being sent from a server, but I am unsure how it's done. It's why you'll never get an email with your password sent to you by your bank.

    You make a random password, if you're doing it by email then send the unhashed version to them, store the hashed version in the db. Once they login with that password, take them to a change password screen so if they do keep the email with the password you sent, it'll no longer work as they've got a new one

  • #5
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts
    E-mail can be sniffed in many alternative ways. It passes through corporate firewalls, which may monitor the traffic. It often gets logged and saved for extended periods of time. It may get accidentally misdirected, and end up in somebody else's mailbox. The best way to keep such e-mail secret is to encrypt it. GnUPG is an example.
    You can not say you know how to do something, until you can teach it to someone else.

  • #6
    Senior Coder rafiki's Avatar
    Join Date
    Aug 2006
    Location
    Floating around somewhere...
    Posts
    2,046
    Thanks
    19
    Thanked 42 Times in 42 Posts
    what is GnUGP @ timgolding?

  • #7
    Senior Coder Nightfire's Avatar
    Join Date
    Jun 2002
    Posts
    4,265
    Thanks
    6
    Thanked 48 Times in 48 Posts
    http://en.wikipedia.org/wiki/GNU_Privacy_Guard can describe it better than me.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •