Forum OpenACS Development: Re: Can question/secret answer be removed from password recovery?

Doh! I forgot about the password being encrypted in the database with a one way hash. Good point, Robert.

So for anyone genuinely worried about DOS attacks via the "I forgot my password, please reset it and email it to me" page: The existing "question/answer" method sounds like a good solution to that problem. Any change that simply goes back to storing un-encrypted passwords in the database is probably a very bad idea.

Note that if someone can extract a plain text password from your database, you have pretty much lost it, haven't you? I'm not saying that it should be done, but it isn't the same thing as a /etc/passwd file where every local user can read the file.

I can never remember the answer to a question I choose. Capitalization matters as well. Bottom line is that this is a difficult problem with no obvious 'easy' solution.

I have to agree with Tom. If people can access your database, a lot has already been lost. Why? You can make yourself SWA with a SQL command. Then you login to the site, look at the user details, "become this user" and change the password. At least this is what we are doing all the time if a user has lost his password and can't for the heck remember it.

So, storing the password unencrypted is preferable if combined with the option to resend the current password to the user. We could make this an optional switch (resend_password vs. create_new_password).

As always there is a catch though: Users are a lazy bunch. They usually use the same password for a couple of websites. Storing the password encrypted prevents the maintainers of the site to access your password and try it out on other sites. Furthermore, sending your current password over the net via email makes it possible to obtain your login for other sites for the occasional password searching filter.