| Re: Most secure way to reset a password via email link [message #185161 is a reply to message #185158] |
Wed, 05 March 2014 16:29   |
Christoph Michael Bec
Messages: 207
Registered: June 2013
Karma:
|
Senior Member |
|
|
Ben Bacarisse wrote:
> I don't have anything I can show, but I would make one recommendation:
> don't store passwords directly -- always hash them internally. That
> way, an accidental or malicious release of the database (which just
> seems to happen time and time again) won't reveal actual passwords.
> Some effort (and you can make it significant effort) would be required
> to recover the password from the hash. Also, users often re-use
> passwords and you won't placate a user whose been told that their
> favourite password is now out in the open by saying that they should not
> have used it for more than one site -- no matter how true that is!
OWASP regards password stored as plain text as vulnerability.[1]
[1] <https://www.owasp.org/index.php/Password_Plaintext_Storage>
--
Christoph M. Becker
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]