Web Wiz - Green Windows Web Hosting
Web Wiz Homepage Search Web Wiz

  New Posts New Posts RSS Feed - Generating new password!!!!
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Generating new password!!!!
 Post Reply Post Reply Page  12>
Author
  Topic Search Topic Search  Topic Options Topic Options
klr3 View Drop Down
Groupie
Groupie
Avatar

Joined: 20 February 2003
Status: Offline
Points: 103 		Post Options Post Options   Thanks (0) Thanks(0)   Quote klr3 Quote  Post ReplyReply Direct Link To This Post Topic: Generating new password!!!!
    Posted: 27 February 2003 at 7:58am
I donīt know if you have noticed it but, the "lost password" feature isnīto good at all!

If some one wishes to bug the forum, he could go to the "lost password" feature - reply for new password, by just typing ANY OF THE REG. USERS USERNAMES- and what is the result???

Yes, you are right, all the typed usernames becomes a new password - even though the didnīt apply for it!

So when a user comes back to the forum, he canīt log in, because the password has been regenerated by another user!!!

Sure the users are sendt the new password by mail, but it would keep them from coming back, if the password got changed every 2. day...

Do you think thatīs good?
Back to Top
WebWiz-Bruce View Drop Down
Admin Group
Admin Group
Avatar
Web Wiz Developer

Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844 		Post Options Post Options   Thanks (0) Thanks(0)   Quote WebWiz-Bruce Quote  Post ReplyReply Direct Link To This Post Posted: 27 February 2003 at 8:07am
Anyone got ideas for a better solution???
Web Wiz Forums Hosting
ASP.NET Web Hosting
Back to Top
klr3 View Drop Down
Groupie
Groupie
Avatar

Joined: 20 February 2003
Status: Offline
Points: 103 		Post Options Post Options   Thanks (0) Thanks(0)   Quote klr3 Quote  Post ReplyReply Direct Link To This Post Posted: 27 February 2003 at 8:11am
Yes, make the database not decryting the passwords!

If users, who download your forum, only would remember to rename the database name, to something else than WWforum.mdb - they wouldnīt have any problems with security!

regards,
kenneth
Back to Top
WebWiz-Bruce View Drop Down
Admin Group
Admin Group
Avatar
Web Wiz Developer

Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844 		Post Options Post Options   Thanks (0) Thanks(0)   Quote WebWiz-Bruce Quote  Post ReplyReply Direct Link To This Post Posted: 27 February 2003 at 8:32am

Problem is judging by the number of emails accusing me of having an insecure forum code becuase they don't follow this advise that 90% of poeple don't do this.

But I have got another solution, to also ask the user for their email address before sending a new password if the two don't match they don't get sent it.
Web Wiz Forums Hosting
ASP.NET Web Hosting
Back to Top
klr3 View Drop Down
Groupie
Groupie
Avatar

Joined: 20 February 2003
Status: Offline
Points: 103 		Post Options Post Options   Thanks (0) Thanks(0)   Quote klr3 Quote  Post ReplyReply Direct Link To This Post Posted: 27 February 2003 at 8:41am
The idea isnīt bad at all, as long as users remember to hide the email adress, or admin has actived the built in email client!!!

Regards,
KLR

Edited by klr3
Back to Top
Nigelo View Drop Down
Groupie
Groupie


Joined: 11 October 2002
Location: United Kingdom
Status: Offline
Points: 67 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Nigelo Quote  Post ReplyReply Direct Link To This Post Posted: 27 February 2003 at 8:56am

Originally posted by -boRg- -boRg- wrote:

Anyone got ideas for a better solution???

How about 2 additional db fields in Authors table as follows:

1st (encrypted using 1 way PW hashing) = User supplied friendly key word such as Mother's maiden name

2nd (not encrypted) = User supplied prompt for friendly key word such as "My Mother's Name" 

So, User would be required to correctly answer question to regenerate PW. The Admin would not therefore be bothered in majority of cases but in event of complete User brain fade borderiing on lunacy, you could then insist on email from User. The point is that even if DB is hacked, the info is useless in view of hashing.

Bruce, you already have some excellent Technology built - Just re-use for a second level password used as an escape route.

Hope this helps

Take care
Nigel



Edited by Nigelo
Back to Top
danm View Drop Down
Groupie
Groupie


Joined: 01 July 2002
Location: Romania
Status: Offline
Points: 64 		Post Options Post Options   Thanks (0) Thanks(0)   Quote danm Quote  Post ReplyReply Direct Link To This Post Posted: 27 February 2003 at 10:27am

What are the security issues with this procedure for lost password:

-          on the login page the user select ‘lost password’ link

-          enter the user name

-          he will receive the password on the e-mail address stored in his profile

-     next time he will use the user name and the old password received by email
Back to Top
djhall View Drop Down
Newbie
Newbie


Joined: 17 March 2003
Location: United States
Status: Offline
Points: 10 		Post Options Post Options   Thanks (0) Thanks(0)   Quote djhall Quote  Post ReplyReply Direct Link To This Post Posted: 27 March 2003 at 7:21am

Originally posted by -boRg- -boRg- wrote:

Anyone got ideas for a better solution???

 

How about not changing the password when it is requested?

 
Back to Top
 Post Reply Post Reply Page  12>

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.08
Copyright ©2001-2026 Web Wiz Ltd.

Become a Fan on Facebook Follow us on X Connect with us on LinkedIn Web Wiz Blogs
About Web Wiz | Contact Web Wiz | Terms & Conditions | Cookies | Privacy Notice

Web Wiz is the trading name of Web Wiz Ltd. Company registration No. 05977755. Registered in England and Wales.
Registered office: Web Wiz Ltd, Unit 18, The Glenmore Centre, Fancy Road, Poole, Dorset, BH12 4FB, UK.

Prices exclude VAT at 20% unless otherwise stated. VAT No. GB988999105 - $, € prices shown as a guideline only.

Copyright ©2001-2026 Web Wiz Ltd. All rights reserved.