• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

custom security (authentication)

 
Ranch Hand
Posts: 308
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi,

am building a webapp and want to implement a simple custom authentication as a login (->user/password). i would prefer to hash the password to identify the user, but in webapps it's usual to send passwords to an user in case he forgets it.

so i need to keep unhashed passwords (hashed ones cannot be reconstructed) in my database. is it usual to still keep hashed passwords, to use it for identification? or would it be overengineered/unneccessary if i chose both "password-saving" strategies?

or maybe in case user forgets password, i should send a default password he can change afterwards?

thnx.
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

but in webapps it's usual to send passwords to an user in case he forgets it.



Absolutely not! In a well-engineered (from a security point of view) web app, a password is never sent to the user. Unfortunately, it is common that cleartext passwords are stored, but it is not necessary. If a user forgets a password, it should be considered comprised, and the user should pick a new one. This can happen through a link that was sent by email to an address associated with a username the user entered before - not to an address the user can enter just then!
 
manuel aldana
Ranch Hand
Posts: 308
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
thank you,

well, i do think the same.

but just wondered and found it really strange, how many webapps are sending passwords (even in shopping webapps).

i think it is considered more "user-friendly" and can be used in webapps, where no money can be lost or no critical data is submitted (like forums etc.).

in my first post i of course did not mean default-password like "abc123"!! i merely meant a "good" random password computed by the server application.
 
reply
    Bookmark Topic Watch Topic
  • New Topic