Posted by Jerry Stuckle on 12/30/07 21:28

C. (http://symcbean.blogspot.com/) wrote:
> On 29 Dec, 13:50, Anthony Levensalor <anth...@mypetprogrammer.com>
> wrote:
>> rf said:
>>
>>> "twomt" <no-re...@nemesiswar.net> wrote in message
>>> news:fl5ea5$d1u$1@aioe.org...
>>>> Hello,
>>>> are there any tutorials/guides out there that explain how to handle this
>>>> subject?
>>>> I was thinking of having a member enter his username and email, after
>>>> which I then email him a new password.
>>> To where would you email him the new password? What if I enter my email
>>> address, do you email his new password to me?
>>> --
>>> Richard.
>> No, that would be stupid. If someone has a password with me, as in an
>> account at one of my sites, I already have their email in a database. I
>> mail the new password to that address, and done is done.
>>
>> ~A!
>>
>> --
>> Anthony Levensalor
>> anth...@mypetprogrammer.com
>>
>> Only two things are infinite, the universe and human stupidity,
>> and I'm not sure about the former. - Albert Einstein
>
> 1) that's inflexible - you are expecting the user to know 2 out of
> three facts

Which is why I only require the user id.

> 2) it provides a way for a third party to carry out a denial of
> service attack against your users.
>

Not at all. At most the user will get one email per day. The system
won't send it more often than that.

> If you look at existing systems the more sensible ones send out a URL
> with a single use visa in the the query part allowing the user to
> access the site without presenting their login credentials.
>
> C.
>

True. But just sending the password once works, also. Not as secure,
but often times it's secure enough.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]