Unfortunately, many sites have to support a "mail me my password" feature. A tech site like this can get away with just sending people a new auto-generated password, but I don't think that, say, Amazon.com could do that. That means they must have the passwords in plain text somewhere.
Re: Re: We blame tye.
Replies are listed 'Best First'.
A tech site like this can get away with just sending people a new auto-generated password
Then someone could hassle me by repeatedly requesting password changes on my account. If they did it every 5 minutes, I could hardly use the site at all. The server could impose a rate limit on password changes, like only one per day or so. That would eliminate the full-blown denial of service, but I'd still have to go check my e-mail for the new password, which might be inconvenient.
This is true. I'm not sure there's a good way to deal with all possible attacks like this.
As an aside, I often go to sites that have "mail me my password" features, request my password, and then realize I signed up under a different name. Then I wonder what the guy who just got the password reminder mail is thinking.
To get around this, some sites ask the user for a hint question when they register. If the user forgets their password, they must answer their hint question (which they hopefully still remember), and supply some other personal information (which is verified against the info they provided upon registering). A new password is generated and emailed only if the above are correct. I'm pretty sure Yahoo does this for My Yahoo, Yahoo Mail, and the like.
Another idea would be to generate a new password, but revert to the old one after, say, ten minutes if the user doesn't log in and change it. In this case, you would still let the user log in with the old password within those ten minutes. I realize this might not be easy to impliment ontop of an existing username/password database, though.
We could ask for your e-mail address and "real name" before we would reset your password. But I'll just be happy to not include the password in the "edit user" HTML code and to require that the password be reentered in order for you to be able to change it.
If the user forgets their password, they must answer their hint question (which they hopefully still remember), and supply some other personal information (which is verified against the info they provided upon registering).
Unfortunately, easy to remember == easy to guess (especially if it's someone you know), and "other personal information" is usually not hard to find with some research. Sometimes, you won't know the real identity that goes with someone's online persona, so that won't get you anywhere. Sometimes, you will, though. That solution is probably better than nothing, though.