Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Get password from database and send email

 
arushi tomar
Ranch Hand
Posts: 91
3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have used hibernate in my application. I have a login page where user enters credentials, they are validated from DB. Now, if a user forgets their password, I have provided a link "forgot passwod" which redirects to a webpage, which takes email id as input from user, and then the control is passed to a servlet, where I want to fetch the password of that user from the database, what should I use for it? I think I cannot use resultSet as I want only one password at a time to be fetched from database and sent in an email to the user.
 
Tim Moores
Bartender
Posts: 3137
50
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Resultsets can return any number of records, 0, 1 or many.

But more importantly, you should never send passwords by email. In fact, that should not even be possible: the proper way to store passwords is hashed (maybe using SHA 256), so nobody (including the server-side code) can get at them.
 
Dave Tolls
Ranch Hand
Posts: 2112
16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is why on any site with at least some semblance of security you will only find a "rest password" option.
 
arushi tomar
Ranch Hand
Posts: 91
3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am storing encrypted password values in the database, I was thinking of sending the decrypted value to the email if if somebody forgets their password. Is this not okay? If not, then:

If i do the reset password, I will allow the user to reset their password by e-mailing them a link to reset the password, where I will use session value to update the password in the database with the new password that the user inputs? Am I right?
 
Scott Selikoff
author
Saloon Keeper
Posts: 4033
18
Eclipse IDE Flex Google Web Toolkit
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim is correct, it should not be possible to decrypt the password, nor is it recommended to send it over e-mail. You store the encrypted (salted) hash of the password in the db, and compare this against any requests to login.

Using a URL/temp password for password reset is much more common provided you make sure that:
- It expires if not used within a relatively small time frame (one hour or one day)
- It can only be used once and then never again

You shouldn't replace the users password in the database with the temp one, though, as it may not have been the user that requested the reset. It should be in a separate table/column.
 
Karthik Shiraly
Bartender
Posts: 1210
25
Android C++ Java Linux PHP Python
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Certain components of a software system are so critical, that not applying best development practices in those areas can slam a company with shockingly high legal, financial, customer, organizational and business costs - and all that slamming together all at the same time!

Storing passwords in plaintext and mailing them to customers is such a basic security mistake and has caused so many data breaches that it's not even funny now in 2015.
How would you feel if your bank sent you an email today stating that your savings account details, password and CVV may be compromised, and that you should check for any unauthorized transactions? Would you continue keeping your money in such a bank?
Guess whom managements blame when (and in 2015, it really has become a case of when, not if) data breaches occur?

This is not just another programming problem to be solved by googling and copy pasting some code snippets from the Internet.
This is one of those situations where a company's management may not realize the criticality of the problem, or may have simply assumed that their development team will do the right thing.
So as a software engineer with a code of ethics, it's upto you to step up and do the right thing the right way.

In my opinion, you should stop the coding, talk to your managers about the criticality of this area, upgrade your knowledge by yourself or with company sponsored training (preferably the latter), and only then come back to the coding.

Here are a few resources that will help. Don't skip reading the long form articles.

Understand the gravity of the business and management problem:
(PDF) 2015 cost of data breaches
A security code of ethics for developers and management
Understand the psychology behind why development orgs neglect security

Understand Design and Architecture issues:
OWASP authentication guide
Lessons, including password storage, from the Tesco breach

Understand implementation issues:
Why naive hashing is not enough
Secure password reset
Understand basics of password storage
Next understand why the above was good in 2007 but is no longer enough now in 2015
Security tips
OWASP authentication recipes
OWASP password guidelines
OWASP Secure Coding Practices
Read this discussion thread fully
Our Security FAQ (especially OWASP and Other Topics)
 
arushi tomar
Ranch Hand
Posts: 91
3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Karthik Shiraly wrote:

I didn't check your reply until now, but I already moved up to the part where I am saving encrypted passwords now and sending a password reset link to the user(not copy pasted, I tried to do it myself) but I am not able to send a link via mail, Trying to work on that now. And I will read all the links you have posted. Thanks for the effort. It is much appreciated. :-)
 
arushi tomar
Ranch Hand
Posts: 91
3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Scott Selikoff wrote:


Yes, I am not decrypting the password now. Sending a link to reset the password to the user. Thanks a lot.
 
arushi tomar
Ranch Hand
Posts: 91
3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim Moores wrote:


Thanks Tim, your reply made me think properly towards the problem and use a different approach altogether.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic