CGI question: safe passwords possible?

Peter Hansen peter at engcorp.com
Mon Jun 2 15:51:34 CEST 2003


Paul Rubin wrote:
> 
> Peter Hansen <peter at engcorp.com> writes:
> > Also note: you won't be able to have your users change their passwords
> > securely with any such approach.  For that, I believe SSL is going to
> > be the only secure option, to avoid ever sending a password to the server
> > in the clear.  (Or generate passwords on the server side and email to the
> > user, though that has obvious other problems...)
> 
> You could use the old password as a key to encrypt the new password.
> Of course that's not too clever if the reason for changing the password
> is that the old one is compromised...

Ah, a nice solution, I would say.  If the password is actually compromised,
requiring the user to contact the adminstrator to "reset" their password,
or asking the server to generate a new password which is sent via email,
would be reasonably acceptable approaches.

-Peter




More information about the Python-list mailing list