Password retrieval system

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I wish to setup an automatic password recovery system on my website,
like the one most of the sites have nowadays. You need to enter your
mail-id as provided earlier or answer the secret question. Can anyone
plz help me to understand exactly how it works and what  are the
possible security threats involved?

Re: Password retrieval system writes:
Quoted text here. Click to load it

The code gets the data out of the database and sends an email, or
verifies the response?

Security threats are that your info is probably in the database in the
clear, or at best, in some recoverable to clear-text format.

Re: Password retrieval system writes:

Quoted text here. Click to load it

The problem is that you need to keep a database of cleartext passwords on
your system. This makes it an ideal hacker target, since people often reuse
their passwords. Thus by grabbing your database, they will have a huge list
of people, their email addresses and their passwords probably to other
Passwords should always be one way, so that the customer can change their
password with appropriate permission from your system, but cannot be told
their password.

Re: Password retrieval system

Unruh wrote:
Quoted text here. Click to load it

Luckily that isn't mandatory.

Quoted text here. Click to load it

You store only a hash of the password. When a user who has forgotten the
password requests a copy, you just generate a new random password, send
it to the user, and store the hash in the database. The user has the
option to change the random password to whatever s/he likes in the usual

-- Lassi

Re: Password retrieval system wrote:
Quoted text here. Click to load it
Never mail the original password to an email-id. The original password
should be stored as secured one way hashes, preferably atleast SHA-256
in your database/file. If a user has lost his/her password, make them
answer some question before mailing a random one-time password to their
email accounts.


Site Timeline