Da li moze neko da mi objasni zastitu

Dragi Tata · 01. 03. 2009.

Slučajno naleteh na ovaj taze blog administratora sajta CodeProject.com:

http://www.codeproject.com/script/Me...06#xx2939706xx

There's always debate[^], complaints[^] and personal preferences as to whether passwords should be encrypted in a database and sent back to a user when it's requested, or whether it should be one-way hashed and 'reset link' (or similar) provided to those users who forget their password.

Over the years we've asked members what they wanted and the preference has changed from "Please send me my original password" to "Please don't send me my password". I, personally, prefer that I get my original password when I ask for it because

a) I hate having to write down or remember Yet Another Password.
b) I don't use the same password for CodeProject as I do for, say, my bank
c) I control my email box
d) Often sites that allow you to reset your password allow anyone to reset your password (meaning you get lots of links that don't work if someone hates you and abuses the system), or they ask you a 'security' question before sending the link. Frankly, everyone knows my Mother's Maiden name ("Mum" AND the name of my first pet ("Cuddles the Rabbit") so these questions, to me, are not very secure. And to be honest I just couldn't be bothered with the extra hassle.

This reasoning doesn't apply for all, and above and beyond these personal reasons of mine there is the simple fact that if you are going to look after personal information of your members you should do it properly.

So, as of today we no longer encrypt passwords, but instead we store them as a one-way hash. This means we can no longer send you your password when you ask for it.

However, I figured we needed to

a) Allow people to maintain their current password if at all possible, and
b) Protect the system from abuse

So when you request a new password, we send you a temporary password and still allow you to sign in with your old password. If you sign in with the temp password then your password becomes the temporary password, permanently. If you suddenly remember your old password and sign in with it, then the temporary password is removed.

Hopefully the best of both worlds with the added security that no one, not us, not you, not your nosy coworkers, will ever know your password.

LiquidBrain · 02. 03. 2009.

Citat:

Originalno napisao Dragi Tata

Slučajno naleteh na ovaj taze blog administratora sajta CodeProject.com:

http://www.codeproject.com/script/Me...06#xx2939706xx

There's always debate[^], complaints[^] and personal preferences as to whether passwords should be encrypted in a database and sent back to a user when it's requested, or whether it should be one-way hashed and 'reset link' (or similar) provided to those users who forget their password.

Over the years we've asked members what they wanted and the preference has changed from "Please send me my original password" to "Please don't send me my password". I, personally, prefer that I get my original password when I ask for it because

a) I hate having to write down or remember Yet Another Password.
b) I don't use the same password for CodeProject as I do for, say, my bank
c) I control my email box
d) Often sites that allow you to reset your password allow anyone to reset your password (meaning you get lots of links that don't work if someone hates you and abuses the system), or they ask you a 'security' question before sending the link. Frankly, everyone knows my Mother's Maiden name ("Mum" AND the name of my first pet ("Cuddles the Rabbit") so these questions, to me, are not very secure. And to be honest I just couldn't be bothered with the extra hassle.

This reasoning doesn't apply for all, and above and beyond these personal reasons of mine there is the simple fact that if you are going to look after personal information of your members you should do it properly.

So, as of today we no longer encrypt passwords, but instead we store them as a one-way hash. This means we can no longer send you your password when you ask for it.

However, I figured we needed to

a) Allow people to maintain their current password if at all possible, and
b) Protect the system from abuse

So when you request a new password, we send you a temporary password and still allow you to sign in with your old password. If you sign in with the temp password then your password becomes the temporary password, permanently. If you suddenly remember your old password and sign in with it, then the temporary password is removed.

Hopefully the best of both worlds with the added security that no one, not us, not you, not your nosy coworkers, will ever know your password.

Administrator sa ovakvim stavom i ovakvim principima treba odmah da dobije otkaz...

cvele · 02. 03. 2009.

Citat:

Originalno napisao LiquidBrain

Administrator sa ovakvim stavom i ovakvim principima treba odmah da dobije otkaz...

molim te elaboriraj

bluesman · 02. 03. 2009.

Citat:

Originalno napisao cvele

molim te elaboriraj

Ni ja baš nisam shvatio šta je toliko problematično sa tim stavom da bi dobio otkaz.

LiquidBrain · 02. 03. 2009.

Citat:

Originalno napisao cvele

molim te elaboriraj

a) I hate having to write down or remember Yet Another Password.
c) I control my email box
d) Often sites that allow you to reset your password allow anyone to reset your password (meaning you get lots of links that don't work if someone hates you and abuses the system), or they ask you a 'security' question before sending the link. Frankly, everyone knows my Mother's Maiden name ("Mum" AND the name of my first pet ("Cuddles the Rabbit") so these questions, to me, are not very secure. And to be honest I just couldn't be bothered with the extra hassle.

Ono boldovano je interesantno, zapisati pasword? Kakav je to admin koji zapisuje passworde?

Ne moze da bude 100% siguran da on controlise svoj email... Sta je sa snifovanjem saobracaja? Pa onda posalji password u mail-u. Ako se posalje link to nije toliki problem jer onda napadac moze samo da peuzme taj nalog, ne josh neki drugi koji ima isti password.

A sto se tice poslednjeg dela problem je sa samim sajtovima a ponajvise sa tim sto on takve sajtove posecuje!!! Ako neki sajt nije siguran sam po sebi ne treba ga ni koristiti!!!

Mozda neki od razloga zvuce glupo i preterano, ali u zavisnosti od odgovornosti koje posao nosi , takva predostroznost je neophodna.

Milos Vukotic · 02. 03. 2009.

Citat:

Originalno napisao LiquidBrain

Kakav je to admin koji zapisuje passworde?

Iskusan, prekaljen, naučen poslu...

cvele · 02. 03. 2009.

a) I hate having to write down or remember Yet Another Password.
c) I control my email box
d) Often sites that allow you to reset your password allow anyone to reset your password (meaning you get lots of links that don't work if someone hates you and abuses the system), or they ask you a 'security' question before sending the link. Frankly, everyone knows my Mother's Maiden name ("Mum" AND the name of my first pet ("Cuddles the Rabbit") so these questions, to me, are not very secure. And to be honest I just couldn't be bothered with the extra hassle. ukazivanje na probleme kod drugih... i lose prakse...

boldovane stvari su interesantne, italic su komentari

bluesman · 02. 03. 2009.

Citat:

Originalno napisao LiquidBrain

Ono boldovano je interesantno, zapisati pasword? Kakav je to admin koji zapisuje passworde?

Kakav god da je ... mnogo je bolji od onoga koji koristi isti password za sve

Kakav ti moraš da budeš genije da zapamtiš stotinjak passworda na 200 servera (tu uključujem sve one lične naloge tipa gmail, fb, flickr... kao i one poslovne + ftp + shell + mail + ko zna šta...).

Dragi Tata · 02. 03. 2009.

Zapisivanje lozinki je u stvari dobra stvar: http://news.cnet.com/Microsoft-secur...0.html?tag=txt

Ako pamtiš lozinke, mnogo je veća verovatnoća da su jednostavne i da ih retko menjaš.

misk0 · 02. 03. 2009.

Citat:

Originalno napisao bluesman

Kakav ti moraš da budeš genije da zapamtiš stotinjak passworda na 200 servera (tu uključujem sve one lične naloge tipa gmail, fb, flickr... kao i one poslovne + ftp + shell + mail + ko zna šta...).

Ja nemam 200 servera, ali sigurno imam 100-150 passworda od razlicitih accounta, bilo od clanarina, software-a za backup, switche-va, UPS-va i slicno. Jos jedan glas za 'zapisivanje'.

btw. neko je nekad spominjao da postoji 'mobilni sef' tj programcic u koji trpas sve svoje sifre, zastitis ga drugom sifrom i pokreces sa USB sticka bez instalacije i slicno... Sjeca se neko imena toga?

Slične teme
Tema	Početna poruka teme	Forum	Odgovori	Poslednja poruka
Neka mi neko objasni ako zna - MTU, hosting ili nesto trece...	Dejan Bizinger	Web Hosting, web serveri i operativni sistemi	5	07. 09. 2007. 02:38
Moze li ovo krace?	Pedja	PHP	7	02. 08. 2007. 12:50
Ko moze duze? : )	dee	Opušteno	20	24. 10. 2006. 07:46
Da li ovo moze?!? a i ako moze kako?!?	LiquidBrain	PHP	16	22. 09. 2006. 14:55

01. 03. 2009.	#1
Dragi Tata dinosaurus Master Datum učlanjenja: 29.12.2005 Lokacija: Nova Engleska Poruke: 636 Hvala: 79 263 "Hvala" u 66 poruka	Slučajno naleteh na ovaj taze blog administratora sajta CodeProject.com: http://www.codeproject.com/script/Me...06#xx2939706xx There's always debate[^], complaints[^] and personal preferences as to whether passwords should be encrypted in a database and sent back to a user when it's requested, or whether it should be one-way hashed and 'reset link' (or similar) provided to those users who forget their password. Over the years we've asked members what they wanted and the preference has changed from "Please send me my original password" to "Please don't send me my password". I, personally, prefer that I get my original password when I ask for it because a) I hate having to write down or remember Yet Another Password. b) I don't use the same password for CodeProject as I do for, say, my bank c) I control my email box d) Often sites that allow you to reset your password allow anyone to reset your password (meaning you get lots of links that don't work if someone hates you and abuses the system), or they ask you a 'security' question before sending the link. Frankly, everyone knows my Mother's Maiden name ("Mum" AND the name of my first pet ("Cuddles the Rabbit") so these questions, to me, are not very secure. And to be honest I just couldn't be bothered with the extra hassle. This reasoning doesn't apply for all, and above and beyond these personal reasons of mine there is the simple fact that if you are going to look after personal information of your members you should do it properly. So, as of today we no longer encrypt passwords, but instead we store them as a one-way hash. This means we can no longer send you your password when you ask for it. However, I figured we needed to a) Allow people to maintain their current password if at all possible, and b) Protect the system from abuse So when you request a new password, we send you a temporary password and still allow you to sign in with your old password. If you sign in with the temp password then your password becomes the temporary password, permanently. If you suddenly remember your old password and sign in with it, then the temporary password is removed. Hopefully the best of both worlds with the added security that no one, not us, not you, not your nosy coworkers, will ever know your password.

02. 03. 2009.	#7
cvele Banned Knowledge base Datum učlanjenja: 01.07.2005 Poruke: 1.598 Hvala: 206 140 "Hvala" u 89 poruka	a) I hate having to write down or remember Yet Another Password. c) I control my email box d) Often sites that allow you to reset your password allow anyone to reset your password (meaning you get lots of links that don't work if someone hates you and abuses the system), or they ask you a 'security' question before sending the link. Frankly, everyone knows my Mother's Maiden name ("Mum" AND the name of my first pet ("Cuddles the Rabbit") so these questions, to me, are not very secure. And to be honest I just couldn't be bothered with the extra hassle. ukazivanje na probleme kod drugih... i lose prakse... boldovane stvari su interesantne, italic su komentari