Jitse

Jitse

  • NA
  • 8
  • 0

Security Suggestion: Hashing

Nov 17 2007 2:48 PM
Good day,

First of all, this is a nice forum. :) I still haven't got a 'check-daily-forum' for C#, but this one seems to fit, although it's a little slow maybe.

I have one suggestion though, I noticed you send a notification mail when eg. you change your account information, or when you use the lost password thing or so. And in that mail you add the password of the user.

Now this is something that always annoyed me: since you can tell me my own password, that means my password is stored somewhere on your servers. That's not how a service is supposed to work, a service should only store the hash of the password on the servers. That's the reason why many services can only 'reset' your password, instead of recovering it. This is not only safer with storing, but also sending the password when someone logs in, creates an account, ... Encpryption is certainly not enough, and doesn't fit for passwords anyway. Are you planning on changing this?

Anyway, I hope this forum will get more active every day. :)