Posted by Oli Filth on 01/19/06 16:15
d said the following on 19/01/2006 09:52:
> "cosmoKen" <kleprado@gmail.com> wrote in message
> news:1137597770.230051.17970@f14g2000cwb.googlegroups.com...
>> Why don't you generate a new random password when somebody wants to get
>> a forgotten password ?
>> So you have encrypted password without keys
>
> Because some sites don't want to provide new passwords to people every time
> they forget, as that's forcing the user to compromise for your security
> needs, which may be easier, but is not easier from the customer's
> perspective. phew. :)
How is sending a new password to the user (by e-mail) any less secure
than sending their original password?
--
Oli
[Back to original message]
|