Re: password generation/sending

On 17 fév, 16:49, rober...@xxxxxxxxxxxx (Walter Roberson) wrote:
In article <1171696278.982057.113...@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,

<rena...@xxxxxxxxxxx> wrote:
I need to automaatically generate and reset passwords for users
(that's a requirement), but I do not know how to send it to them , as
it should be encrypted on the network .

I think email is not secured, as not all users will have encryption on
their Email client (hotmail...).
Any idea how to do that ?

Your requirements are internally incompatible. There is *no*
secure way in which to transmit plain-text passwords over an insecure
network. (This is sometimes called "the key distribution problem".)

You are right .
I might use the following approach:

When user is created, an Email will be sent to him
Email will contain a link to a https web page (link will only last 24
hours)
On the web page, he will be prompted to answer a secret question (he
chose the question + answer when creating his account)
If successfull, the page will display the generated password ( he will
have to change it at his first login).

Same procedure if he wants to reset his password.

The only problem I can see is Phishing using a web page that would
look like my web page.

Any comment is welcome :)

.