Posted by d on 01/19/06 17:30
"Oli Filth" <catch@olifilth.co.uk> wrote in message
news:xaNzf.5581$Kt5.678@newsfe6-gui.ntli.net...
>d said the following on 19/01/2006 09:52:
>> "cosmoKen" <kleprado@gmail.com> wrote in message
>> news:1137597770.230051.17970@f14g2000cwb.googlegroups.com...
>>> Why don't you generate a new random password when somebody wants to get
>>> a forgotten password ?
>>> So you have encrypted password without keys
>>
>> Because some sites don't want to provide new passwords to people every
>> time they forget, as that's forcing the user to compromise for your
>> security needs, which may be easier, but is not easier from the
>> customer's perspective. phew. :)
>
> How is sending a new password to the user (by e-mail) any less secure than
> sending their original password?
I never said that :) I was saying that sending the current password to the
user is easier for the user than sending them a new one. The only reason
one would send them a new password is because their password isn't readable
on the server. That's done through security needs of the server, as opposed
to desired functionality.
Sorry if I wasn't clear enough on that.
>
> --
> Oli
[Back to original message]
|