Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

comment on

( #3333=superdoc: print w/replies, xml ) Need Help??
Since the passwords are stored encrypted, then you can't very well send it to them. So, the password can be reset to a new random one using Crypt::RandPasswd and emailed to the email address stored in the database for user john. If we have the public PGP key for 'john' then we PGP encrypt the message. (it does no good to email the password in the clear if there's a black hat sniffing traffic).

Do not do that! Really, never send a cleartext password to an email address. IF you have their public PGP key, then it can be applicable, but not otherwise.

If you don't have the key, try this instead: Ask for a login name or an email address. Make sure it exists in your database. If it's not an email, get the email associated with it from your records. Create a temporary, rather long random key and save it somewhere, along with the data they entered. Send them an email and ask them to go to an URL like this: http://www.example.com/reset_pass?key=<random_key>. That page will hold a simple form to enter a username (or email, in case username can be forgotten, too) and a new password, twice. When they submit that, compare the key with the one you saved and take action if, and only if, those keys match.

This way, you can avoid sending passwords in clear case (well, partially). Plus, the password you create can be quite complex, thus make the user type it rather slowly. I can usually guess what people type just by looking at their fingers, and it's really easy if you know the keyboard well and they don't. This kind of thievery will be avoided, also.

And for the last issue, I myself would not try to automate this, too. I think it needs to be handled in person. Ask other questions along with the one in the database, if applicable (ie. 'when did you first create the account', 'when did you last logged in'. If this information is public, then they are no use, of course.) If the answer is accurate, then you can consider changing the email address in the database with the new one and ask for a new password. Otherwise, it's best asking them to simply create a new account.

--
Alper Ersoy


In reply to Re: Web based password management (or how *not* to blame tye) by aersoy
in thread Web based password management (or how *not* to blame tye) by maverick

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others rifling through the Monastery: (1)
    As of 2019-08-21 04:35 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      No recent polls found

      Notices?