all
SoML
excited
dreams
runes
YRUU
ultimate
KTRU
skate
sleepy
nihongo
|
journal
all
SoML
excited
dreams
runes
YRUU
ultimate
KTRU
skate
sleepy
nihongo
| Rob is 20,118 days old today. |
July 2010 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Sept 2010 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
2009
jan feb mar apr
may jun jul aug
sep oct nov dec
2011
jan feb mar apr
may jun jul aug
sep oct nov dec
|< << more >> >| |
Entries this day: password_email password email 2:51am JST Tuesday 31 August 2010 (day 14769) I just tried to create an account with a website, and noticed a couple problems. HI I found a bit of a bug in your account creation process. When I created a new account using the password below, I was told it was an invalid password. Even though I received that message, the account was created anyway. That's the bug. Worse, however, your system is insecure because the passwords are stored in plaintext in your database. That's bad. To handle them properly, you should hash the passwords with salt and store the hashed password. Then when someone loses their password, you create a temporary password, hash that and store it in the DB while sending them a link including the plaintext version. They click on the link, the password in the URL is hashed and compared to the DB, and if it matches, remove the DB entry and then show the user the change password page where they can change their password. Here's some more info: http://stackoverflow.com/questions/1581610/help-me-make-my-password-storage-safe/1581919#1581919 Please note that md5 is no longer considered secure for password hashing. Thanks - Rob On Tue, Aug 31, 2010 at 01:26, ________.com wrote: > You have just requested your password from ________.com > > Email = ________.com@robnugen.com > Password = xxxxxxxxxx I wonder how/if they will reply. Note, ________ and xxxxxxxxxx are placeholders. permalinkprev day next day |