Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number

Re: Plaintext passwords?

by maverick (Curate)
on Mar 22, 2002 at 20:43 UTC ( #153643=note: print w/ replies, xml ) Need Help??

in reply to Plaintext passwords?
in thread We blame tye.

The way I typically handle it is to.

  • store them crypted
  • require that the login page be accessed via SSL
  • forgotten password is reset and emailed ONLY to the email address stored in the database for the provided user id. This doesn't prevent a malicious person from resetting someone else's password, BUT the person who receives the email saying what the new (randomly generated) password is, is the valid user.

perl -l -e "eval pack('h*','072796e6470272f2c5f2c5166756279636b672');"

Comment on Re: Plaintext passwords?
Replies are listed 'Best First'.
Re: Re: Plaintext passwords?
by no_slogan (Deacon) on Mar 23, 2002 at 17:16 UTC
    That all sounds good. I assume that once someone logs in successfully via SSL, you send them a cookie, and they continue using that over an unsecured connection? In that case, the cookie essentially becomes the user's password. Do you have a good solution for preventing the bad guys from capturing and reusing that cookie?
Re: Re: Plaintext passwords?
by Anonymous Monk on Mar 26, 2002 at 03:22 UTC

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://153643]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (7)
As of 2015-11-27 13:37 GMT
Find Nodes?
    Voting Booth?

    What would be the most significant thing to happen if a rope (or wire) tied the Earth and the Moon together?

    Results (729 votes), past polls