Re: [PHP] Re: Securing user table with sha function

On Mon, February 19, 2007 5:12 am, Fergus Gibson wrote:
4) if user forget his or her password, you can send email to the
user when
the user answer password protected question.

Kinda impossible if the password is hashed, isn't it? What a strange
thought, though. I guess all those sites with password reminder
functions have the password stored in plain text somewhere.

Yes.

And email is inherently insecure medium, unless you have exchanged
off-line key pairs or something and the user has the skill to install
crypted email software packages.

Even the sites that generate a new random password to email to you
risk the email being inspected in transit, even if the password in the
db is not plain text anywhere at all.

You need at least 3 passwords to surf the web, really.

#1. Real password for like, online banking, where you're pretty sure
they have security "right" (well, the odds are good anyway)

#2. Second level real password for, like, personal info sites, or
"important" private data.

#3. Useless throw-away password for stupid sites you don't really care
about that require a password.

You might even want a #1a for online shopping where you would HOPE the
online store did it right, but don't want to risk the password that
unlocks your bank account, just in case they are one of the ones that
got it very very very wrong.

Something like eBay or Amazon or PayPal, if you use them frequently,
might warrant yet another good password.

Now if I could just remember which EMAIL or USERNAME I used for each
site, I'd be all set... :-(

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
.

Relevant Pages

  • Re: Droid X
    ... So, if you use email, you are at no more risk with GMail than you are your ... I know that anything that gets sent online ... anything that passes through Google or that Google ... stored, cataloged, keyworded, analyzed and sold. ...
    (alt.cellular.verizon)
  • Re: Now that SHA-1 is cracked...
    ... as it's not "cracked" just shows that there's a vulnerability that COULD (in ... online a bit too much and often spend a great deal of money online. ... The only secure transaction is one that you make in person with cash ... risk be it obscure or minimal there is always a risk. ...
    (microsoft.public.inetserver.iis)
  • Re: Now that SHA-1 is cracked...
    ... as it's not "cracked" just shows that there's a vulnerability that COULD (in ... online a bit too much and often spend a great deal of money online. ... The only secure transaction is one that you make in person with cash ... risk be it obscure or minimal there is always a risk. ...
    (microsoft.public.windows.server.security)
  • Re: Now that SHA-1 is cracked...
    ... as it's not "cracked" just shows that there's a vulnerability that COULD (in ... online a bit too much and often spend a great deal of money online. ... The only secure transaction is one that you make in person with cash ... risk be it obscure or minimal there is always a risk. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Now that SHA-1 is cracked...
    ... as it's not "cracked" just shows that there's a vulnerability that COULD (in ... online a bit too much and often spend a great deal of money online. ... The only secure transaction is one that you make in person with cash ... risk be it obscure or minimal there is always a risk. ...
    (microsoft.public.windowsxp.security_admin)