crackstation icon indicating copy to clipboard operation
crackstation copied to clipboard

Published 20 hours ago verified publisher icon defuse

hashing-security - Password Reset token should be hashed in DB

Open raphael-riel opened this issue 11 years ago • 1 comments

For article : /hashing-security.htm Point: FAQ > "How should I allow users to reset their password when they forget it?"

Token used for password reset should be hashed when stored in Database. The plain-text version of the token should only reside in the email sent to user. In case an attacker has Read-only access to DB(SQL-Injection or whatever), he won't be able to use the tokens.

Suggested case: Attacker has read-only access to DB; request a password-reset for the targeted user; recovers the token from DB for given user; manually generate a reset URL and take-over the user's account.

raphael-riel avatar Jan 30 '14 16:01 raphael-riel

You are right. I will update the article!

defuse avatar Feb 03 '14 13:02 defuse