[FX.php List] [Off] Using Clear Text Passwords/Registration Design
Jonathan Schwartz
jschwartz at exit445.com
Thu Feb 12 07:34:19 MST 2009
Hi Folks,
Does anyone have advise or links to reference material on the design
of well-designed registration/log-in systems, particularly involving
the sending of passwords in cleartext?
Here's the problem...some end users of a clients project complain
about receiving their passwords via email in cleartext. Googling the
subject turns up an ongoing debate between security and convenience.
From personal experience, there seem to be a myriad of combinations
of how registration systems work. They might...or might
not....involve these components:
- original data form
- self-assigned or system-assigned password
- change password on first use.
- change password at defined intervals
- email confirmation to complete registration
- encrypted, encrypted with salt, etc
And then there are the 'retrieve or reset password' routines.
For reference, I am allowing the end user to specify the password,
sending the password in cleartext in the confirmation email and also
sending the password via email in cleartext in the 'retrieve
password' routine. There is personal information involved.
An additional question: Are we theoretically protecting from 1)
eavesdropping on emails as they are being sent, 2) theft of
recipient's emails/computer after being received, 3) theft/loss of
the client's database...or all of the above?
I know that there isn't any single answer, and it depends on the
circumstances, but I was looking for a discussion or an article or
two that covers the subject.
Thanks,
Jonathan
--
Jonathan Schwartz
Exit 445 Group
jonathan at exit445.com
http://www.exit445.com
415-370-5011
More information about the FX.php_List
mailing list