| Re: Most secure way to reset a password via email link [message #185165 is a reply to message #185163] |
Wed, 05 March 2014 21:26   |
Chuck Anderson
Messages: 63
Registered: September 2010
Karma:
|
Member |
|
|
J.O. Aho wrote:
> On 05/03/14 14:02, jvd_200089(at)yahoo(dot)co(dot)uk wrote:
>
>> 2) The other way involves sending a link for them to click on that
>> redirects them to the password reset page but unless their email
>> is secure anyone could click that link.
>
> Sure, but you could use those really stupid questions like "what was
> your mother maiden name" to make it a bit more difficult to just
> hijack when someone taken over someone else mail account.
Yes, ... I hate these challenge question schemes. I do not like being
forced to share things like my mother's maiden name - or other, perhaps,
private information with other people. Do they hash those answers, too?
If not, it's like giving away the keys to any other site where I use
that. If I pick a random question and supply a random answer, how do I
remember it?
I noticed that my answer at one site can be mistyped slightly and still
pass. This would imply that they are saving this information in plain
text. Stupid is as stupid does.
I think this kind of thing (and requirements on password strength)
create a security problem of their own by forcing people to record this
information somewhere and then keep it handy.
To the OP - it has been said - do not store passwords in plain text or a
retrievable form. Use a one way hash. Any site that can "send me my
password if I forgot" is a big security risk.
--
*****************************
Chuck Anderson • Boulder, CO
http://cycletourist.com
Turn Off, Tune Out, Drop In
*****************************
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]