[development] password generation/sending

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I need to automaatically generate and  reset  passwords for users
(that's a requirement), but I do not know how to send it to them , as
it should be encrypted on the network .

I think email is not secured, as not all users will have encryption on
their Email client (hotmail...).
Any idea how to do that ?


Re: [development] password generation/sending

Quoted text here. Click to load it

Your requirements are internally incompatible. There is *no*
secure way in which to transmit plain-text passwords over an insecure
network. (This is sometimes called "the key distribution problem".)

Re: password generation/sending

On 17 f=E9v, 16:49, rober...@hushmail.com (Walter Roberson) wrote:
Quoted text here. Click to load it

You are right .
I might use the following approach:

When user is created, an Email will be sent to him
Email will contain a link to a https web page (link will only last 24
On the web page, he will be prompted to answer a secret question (he
chose the question + answer when creating his account)
If successfull, the page will display the generated password ( he will
have to change it at his first login).

Same procedure if he wants to reset his password.

The only problem I can see is Phishing using a web page that would
look like my web page.

Any comment is welcome :)

Re: password generation/sending

Quoted text here. Click to load it

If person X has not yet created an account but is authorized to
have one, then what safeguards exist to prevent person Y from
creating an account in person X's name?

Is all of this happening in an internal network, or over a public
network? If intended as an internal network, recall that email has
a tendancy to get read outside of the internal network, by forwarding
or VPNs or proxies or "webmail" pages. If intended as an internal
network, what degree of trust is there of the users?

Is there a list of authorized users? If not, then how will you prevent
joke accounts or multiple accounts per user?

Quoted text here. Click to load it

Worries about phishing tend to suggest to me that you are planning
to do this over public networks.

Site Timeline