• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Password Generation

 
Ranch Hand
Posts: 1374
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am developing a Registration module in my web application. I am following a JavaRanch pattern. User will register and the password will be mailed to his email address. Now I would like to know that how JavaRanch generate the password? Or any other way to generate password?
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Sending passwords by email has gone out of fashion for security reasons. If you develop a new registration system you definitely shouldn't do that.

Usually, you have the user enter the password (twice, so you can be sure that they didn't mistype it) when she signs up. Then you would check the password for whatever constraint you want to require - has a minimum length of 6 characters; contains at least one non-letter or digit; no other user has that password; the password is not part of a dictionary of common words etc.

If the user forgets the password, you'd send a link that allows her to log in exactly once (within the next hour or so), and which then requires her to enter a new password right away. That way you never need to send passwords by email.
 
Vikas Kapoor
Ranch Hand
Posts: 1374
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

If the user forgets the password, you'd send a link that allows her to log in exactly once (within the next hour or so), and which then requires her to enter a new password right away. That way you never need to send passwords by email.

Ulf, I really don't understand your logic behind this.One hour? Won't it be a kind of constrains on user? Being a user I don't like if site ask/force me to behave in this way. But you know better than me, obviously. So please tell me the logic behind this?

And other thing is that I have seen many websites that send the password to user on his email address.How come it is insecure?
[ December 14, 2008: Message edited by: Vishal Pandya ]
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

I really don't understand your logic behind this. One hour? Won't it be a kind of constrains on user? Being a user I don't like if site ask/force me to behave in this way.


Well, the time can be longer -like a day- but not longer than that. Secure registration and login is important; if the user is careless enough to forget his password, then this tiny inconvenience (and I would dispute that it is much of an inconvenience) is what he has to put up with.

And other thing is that I have seen many websites that send the password to user on his email address.How come it is insecure?


Yes, many sites do this, JavaRanch included. But from a security point of view, that sucks. Email is not a secure communication medium. People check it from public terminals and forget to log out. People use it over public WLANs that may or may not be properly secured. Or they store it and forget it until someone else finds it. In companies it is not uncommon that some colleagues have read-only access to one's email. And so on. The bottom line is: passwords don't belong in emails. Registration and password recovery links need to be time-limited for the same reason.
[ December 14, 2008: Message edited by: Ulf Dittmer ]
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic