On 18-6-2012 2:25, Mattias Linnap wrote: > I would argue that this is as secure as ordinary password reset emails. > Emailing users their passwords is insecure if they *themselves* chose > the password - because they often re-use it on multiple sites. > As long as it is a randomly generated one, it is no different from > emailing them password reset links. > Do you agree?
Nope. Emailing passwords is insecure because they guard information not normally available. If your site stores the user's credit card info, would you still agree with your own assessment? Password reset links are more secure not because they don't contain the password, but because they are time-limited and one-shot, thus requiring the malicious user to act fast and before the real user does so. The fact that you do not require them to reset their randomly generated password makes your method insecure. And the fact that it isn't time-limited. Even though, mailman does the same thing and even reminds you monthly, mailman does not claim to be a secure authentication system. -- Melvyn Sopacua -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
