Say the secret word
I’ve had to make a rather fraught decision. Others have made it too, and they don’t talk about it, maybe because it has to do with security. But from what I can see, if your code is open in any way, it isn’t hidden information, and the alternatives are not always any more secure
If you want to do the thing where you send people their password if they forget it, you have to store people’s passwords as cleartext in the database. There may be some fancier way to do it than that, involving some wacky connection to a machine or file that isn’t otherwise accessible, but basically, if we’re aiming for this thing to be runnable on shared hosting (which we are), I have a feeling that passwords will be in the DB, and they’ll have to be clear. The forgot-your-password deal can be worked a few different ways: store an answer to a stock challenge question, store a challenge question and its answer, require the user to enter a username-and-email pair, or just ask for an email and see if a username is associated with it, or (finally) just ask for a username and kick an email out to the associated address, with the password in it. (That last bit is the eventual goal of ll these methods, of course; the theory is, only the real user gets the email with the password in it, in any case.)
Those are all the methods I’ve seen. There are probably others. They all rely on the security of cleartext email, of the server running the scripts, and of the server running the database. None of those are necessarily secure, but none of them are my problem as the author of the scripts. And this is all to say nothing of our repeated sending of cleartext passwords and session hashes in the cookie.
What I’m going on about, what’s bugging me, is that authors of web applications seem to make a lot of lax assumptions about security. I have no problem with that; I am too. But it bugs me anyway, because past a certain point, there seems to be nothing you can really do.
October 2nd, 2003