Coffeehouse Thread

8 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Password Email Suggestion

Back to Forum: Coffeehouse
  • User profile image
    SloopJohnB

    I think it's nice touch to get an email stating that your password has been changed, but does the **new password** have to be in the email?  It's one thing to have to ask for your password to be sent because you forgot it, but I really think it's another matter entirely to have the password sent without solicitation.

    I feel pretty strongly that the decision to expose one's password -- other than the initial "use once" one -- to email should be up to the end user and not the system.

    In fact, another web site I do business with warns users to change their password after it has been sent over the wire (ie., because you've forgotten it). 

    Just a thought...

    John Barone

  • User profile image
    fryguybob

    Agreed!

  • User profile image
    CindySue

    Got a good grin out of your post..

    For a couple of years now, I've been dutifully receiving monthly emailings from several usually consumer~oriented listservs that have a gov't link to them somehow. These emails come out regularly reminding me that yes, indeed, I am still a member of their lists. Usually just delete them all as a nuisance.

    Accidentally opened one just this very past weekend only to find my password down at the bottom. Most interesting during these times when privacy and security are such huge issues..

    They're not the only ones that do it to me on a regular basis. Just that one would think if ANYBODY had privacy in mind, it would be them.. :o/

    I've tried to communicate with various admins in the same way you did here but get too busy to see if the offending admin ever decided the issue warranted them altering what surely couldn't be more than a smidgeon of their code to change the process..

    Peace..

    Cindy

    PS.. Long as I have the screen.. Your post reminded me that the only virus~laden emails I've received in recent months came from gov't~based computers (both local and national emailings).

    Shame, shame, shame.. Why am I not more surprised than I am.. Grin!

  • User profile image
    Alex Keizer

    This would probably also mean that the password itself is stored in the Channel9-database.

    MSDN has an article on how to use hashing to prevent storing the actual password. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod17.asp

    Alex.

  • User profile image
    Tejaaa

    I will have to completely agree here, there is no need to send the password when the initial password is changed.

    Tejas Patel

  • User profile image
    SloopJohnB

    Thanks for the link.  The article was really helpful.  I'll have to play w/it.

    ??:  I noticed that the HashPasswordForStoringInConfigFile method in the System.Web namespace.  Does that mean that IIS has to be running for it to work, or is it sufficient if the proper OS (Win 2K, XP Pro, 2K3) is present?

    John Barone

  • User profile image
    Alex Keizer

    I use this for securing ASP.NET-apps but the principle itself works for other scenarios as well. There are also more generic functions in the framework to deal with crypto.

    If you do a quick google you'll find a number of articles on the subject.

    http://www.codeguru.com/columns/DotNet/article.php/c4703/

    Alex.

  • User profile image
    Jizg

    Burlywood bump

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.