search

defuse / crackstation

Source code for my crackstation.net website.
https://crackstation.net/
GNU Affero General Public License v3.0
132 stars 39 forks source link

hashing-security - Password Reset token should be hashed in DB #1

Open raphael-riel opened 10 years ago

raphael-riel commented 10 years ago

For article : /hashing-security.htm Point: FAQ > "How should I allow users to reset their password when they forget it?"

Token used for password reset should be hashed when stored in Database. The plain-text version of the token should only reside in the email sent to user. In case an attacker has Read-only access to DB(SQL-Injection or whatever), he won't be able to use the tokens.

Suggested case: Attacker has read-only access to DB; request a password-reset for the targeted user; recovers the token from DB for given user; manually generate a reset URL and take-over the user's account.

defuse commented 10 years ago

You are right. I will update the article!