Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer
 
PerlMonks  

Re: Plaintext passwords?

by maverick (Curate)
on Mar 22, 2002 at 20:43 UTC ( #153643=note: print w/ replies, xml ) Need Help??


in reply to Plaintext passwords?
in thread We blame tye.

The way I typically handle it is to.

  • store them crypted
  • require that the login page be accessed via SSL
  • forgotten password is reset and emailed ONLY to the email address stored in the database for the provided user id. This doesn't prevent a malicious person from resetting someone else's password, BUT the person who receives the email saying what the new (randomly generated) password is, is the valid user.

/\/\averick
perl -l -e "eval pack('h*','072796e6470272f2c5f2c5166756279636b672');"


Comment on Re: Plaintext passwords?
Re: Re: Plaintext passwords?
by no_slogan (Deacon) on Mar 23, 2002 at 17:16 UTC
    That all sounds good. I assume that once someone logs in successfully via SSL, you send them a cookie, and they continue using that over an unsecured connection? In that case, the cookie essentially becomes the user's password. Do you have a good solution for preventing the bad guys from capturing and reusing that cookie?
Re: Re: Plaintext passwords?
by Anonymous Monk on Mar 26, 2002 at 03:22 UTC

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://153643]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others romping around the Monastery: (9)
As of 2015-07-06 07:36 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (70 votes), past polls