Page 1 of 1
Is this below is a risky idea about users privacy ?
Posted: Sun Jan 23, 2011 6:54 pm
by jankidudel
Hi I'm making some website, where user leaves his login/password in our database, . I am thinking about how to implement actions if he forgot his pass...
1. Get it manually from database, use some program , which decodes pass(md5 decoder) and send it via email to the user

( easy way)
2. When he registers, send his data to the admin, with usernames, passwords in a normal way(plain characters, not encrypted).
Well , I'm thinking not do it in that way: if he forgets pass, create new temporary, send it via email, and then user can change it.
I'm waiting for your replies

Re: Is this below is a risky idea about users privacy ?
Posted: Sun Jan 23, 2011 7:25 pm
by Jonah Bron
The create-temporary-and-send-to-user option is the only viable solution (note that's what everyone does). There's no practical way to decrypt a hash (at least none that should be part of a password recovery system). You should never store non-encrypted passwords in any form.
Re: Is this below is a risky idea about users privacy ?
Posted: Sun Jan 23, 2011 7:35 pm
by jankidudel
Re: Is this below is a risky idea about users privacy ?
Posted: Sun Jan 23, 2011 8:08 pm
by Jonah Bron
That website does not decrypt hashes. As I stated before, it's impossible (without a brute force attack or a rainbow table). That site uses a
rainbow table to lookup the string that creates that hash.
To prove it, read what it says on that page, and try to decrypt "50a723a285df46628e96d22268d4a191" (the value of which is "helloworldhowareyouthereisnowaytheywillfigureoutwhatthevalueofthishashis").
Re: Is this below is a risky idea about users privacy ?
Posted: Sun Jan 23, 2011 8:16 pm
by jankidudel
Oh, I see, thanks for your advices.
Re: Is this below is a risky idea about users privacy ?
Posted: Tue Jan 25, 2011 1:21 am
by kalpesh.mahida
Hi jankidudel,
You can do it in other way as well.
Steps could be as bellow:
1) user request for change password by providing his email id in case he forgot.
2) Your script can generate a token and send the token with password reset link.
3) User go to reset link, provide the token (it could be manual or automated).
4) Script will check for the validity of token.
5) for valid token system allows user to change password.
Here we are sending the token to reset password to email registered with application. so if the actual email holder dont want to change his/her password he/she can simply ignore the message. where in the case you have mentioned if i know your email id registered with application i can make a request and your password will get changed, i'll not get your password but your password will get changed even though you dont want to change it.
HTH
Re: Is this below is a risky idea about users privacy ?
Posted: Tue Jan 25, 2011 11:17 am
by pickle
Moving to Theory and Design
Re: Is this below is a risky idea about users privacy ?
Posted: Tue Jan 25, 2011 12:01 pm
by jankidudel
Why not
