CGI question: safe passwords possible?
peter at engcorp.com
Mon Jun 2 15:51:34 CEST 2003
Paul Rubin wrote:
> Peter Hansen <peter at engcorp.com> writes:
> > Also note: you won't be able to have your users change their passwords
> > securely with any such approach. For that, I believe SSL is going to
> > be the only secure option, to avoid ever sending a password to the server
> > in the clear. (Or generate passwords on the server side and email to the
> > user, though that has obvious other problems...)
> You could use the old password as a key to encrypt the new password.
> Of course that's not too clever if the reason for changing the password
> is that the old one is compromised...
Ah, a nice solution, I would say. If the password is actually compromised,
requiring the user to contact the adminstrator to "reset" their password,
or asking the server to generate a new password which is sent via email,
would be reasonably acceptable approaches.
More information about the Python-list