Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
Thread: Forgotten password security
03-11-2008, 12:56 PM #1
Forgotten password security
What would be the security advantage in sending an email with a link to click on to request a new password over just sending them an email with their password upon submitting a form with their email address?
03-11-2008, 03:50 PM #2
- Join Date
- May 2002
- Marion, IA USA
- Thanked 83 Times in 82 Posts
You want to minimize exposure to the password. Sending it through an email in plain view could allow it to be seen bu others in physical line of sight as well as others who might intercept or gain access to the emails besides the owner of that email. Then you might ask if they can intercept or gain access to the email then why would sending a link be any better. The link you send should only allow access once and should expire after a short amount of time if not clicked on. Sending a password in an email will still be visible in the email unless they delete it completely and that password will still give them access unless of course it was a temporary password and you require them to change it upon logging in.
CodingForums Supreme Overlord
All Hail Spookster
Users who have thanked Spookster for this post:
03-11-2008, 04:01 PM #3
Always a pleasure Spookster!!
Thats added to my arsenal of knowledge
03-12-2008, 02:11 AM #4
- Join Date
- Jun 2002
- Thanked 328 Times in 324 Posts
You shouldn't be storing their password in clear test in your database anyways. You should be storing the hash of their password. Popular hashes are MD5 or SHA1. And of course if you are doing that you can't send them their original password back to them.
Then if they forget the password, you can do what Spookster suggested and send them a link.
03-12-2008, 09:55 AM #5
Yeah thats what I'm doing the now thanks.