[pmwiki-users] action diff, source and browse

Patrick R. Michaud pmichaud at pobox.com
Thu Mar 15 17:04:43 CDT 2007


On Thu, Mar 15, 2007 at 05:56:47PM -0400, The Editor wrote:
> >Normally one does not "unencrypt" passwords.  Instead, the way
> >passwords work is that one stores the encrypted form of a password,
> >and to check if an entered password matches the stored one, you
> >simply re-encrypt the entered password and make sure that the
> >resulting encryptions match.
> 
> Ahhh, thanks Pm.  Very clever.  But then how does one send a password
> reminder? Or is that not normally done?

Normally I'm not a fan of "password reminder" systems, as it
means that the password is sent via email (in cleartext),
and thus cannot be trusted after being sent.

What many systems do is send a message containing a link to be
followed in order to reset the password.  The link contains a
one-time-use code (essentially a random number) that allows the 
password to be changed for a limited period of time.  The
person receiving the mail can then use this link to regain
access to the account, and change the password to a known value.

Pm



More information about the pmwiki-users mailing list