EasyCFM.COM ColdFusion Forums / Good Coding Tips! / Emailing Passwords

   Reply to Discussion | New Discussion << previous || next >> 
Posted By Discussion Topic: Emailing Passwords

book mark this topic Printer-friendly Version  send this discussion to a friend  new posts last

dduck1934
09-20-2006 @ 10:24 AM
Reply
Edit
Profile
Send P.M.
My Gravatar!
Powered by Gravatar
Senior Member
Posts: 264
Joined: Sep 2004

I am interested in finding out some suggestions on how to go about users forgetting passwords and/or usernames.  I see on easycfm you enter in your email and Im guessing it sends your username and password (haven't tried it).

I am concerned about sending passwords through email. Ive tried to think of other ways that will allow the user to go in and reset their password, or maybe generate a new random password if they forget their password.  Also, the app i use will allow me, an admin on the site, to go in and reset a user's password to a generic password.  I cannot see their password, so that is the only option I have.

Any thoughts on this?

Matthew (dduck1934)

I feel my luck could change...Its gonna be a glorious day.

Webmaster
09-20-2006 @ 11:37 AM
Reply
Edit
Profile
Send P.M.
My Gravatar!
Powered by Gravatar
Administrator
Posts: 4542
Joined: Jan 2002

How about a forgot password question and answer. If the user gets it right alow them to change the password (then you never send anything via email).

So if they forgot the password they put in their email address... if it matches then you would ask them a question (they answered themselves at signup). If they get it right allow the password change.

Pablo Varando
Senior Application Architect
EasyCFM.COM, LLC.

904.483.1457 \\ mobile
webmaster@easycfm.com \\email

mquack
09-20-2006 @ 7:03 PM
Reply
Edit
Profile
Send P.M.
My Gravatar!
Powered by Gravatar
Moderator
Posts: 1544
Joined: Jan 2005

For what it's worth, I don't trust any site that can retrieve my password and send it to me.  That's not to say that I don't use a site that can retrieve it, or I wouldn't be on here at EasyCFM, but I can assure you that my password for such sites is something that is completely BS and is not used for anything that is even remotely sensitive.

Knowing all of this, I hash all passwords on all of my apps, and if someone loses their password, they have two basic options:

1) Correctly answer the "secret question" (assuming that the app has that feature), or

2) The server resets their password to a randomly generated password and emails the new one to them (but does NOT include their user name).  They are then able to login using the new password, but cannot do anything else until they reset it to a personal one.


http://www.rachelqueensg.com

This message was edited by mquack on 9-20-06 @ 7:05 PM

dduck1934
09-20-2006 @ 10:17 PM
Reply
Edit
Profile
Send P.M.
My Gravatar!
Powered by Gravatar
Senior Member
Posts: 264
Joined: Sep 2004

the current system isnt using hashed passwords, but I have the green light to redo the entire application, which is good, in my opinion.  Its will be fun to recode the whole thing.  Since the current system doesnt have the "ask a question" built in, then I would have to go through and add that in there, so I did think I will just go back and hash all the passwords and then only make it where it can be reset to a default password for their account.

Thanks Pablo, and mquack for your input.  I will consider both suggestions.

dduck1934

I feel my luck could change...Its gonna be a glorious day.

This message was edited by dduck1934 on 9-20-06 @ 10:24 PM

kevsarg18
03-21-2007 @ 1:34 PM
Reply
Edit
Profile
Send P.M.
My Gravatar!
Powered by Gravatar
Senior Member
Posts: 428
Joined: Jun 2004

I hash passwords also, + use a UUID for an activation code during sign up. (cant' log in until activation link clicked in email. After ok activation the UUID is changed)

for password recovery, the user can enter a username or email address. when the match is found  email is sent to the address IN THE DB with a notice that there was a request to change password and a link containing the UUID to follow to continue with the change. The user can then enter and verify a new password. When that is successful, the UUID is changed again, making any other attempt to change the password from the email link invalid.

I don't know how normal this is, but it seems to work well, and I personally never like the 'question & answer' things if i forget my password.



My CFML Scripts.


Website Designed and Developed by Pablo Varando.