Is this good idea to send activation link with encrypted password
Felix Samy wrote:
Is this good idea to send activation link with encrypted password
Why would you want to send the encrypted password anywhere?
On Wed, Oct 6, 2010 at 8:41 AM, Ar Chron [email protected] wrote:
Felix Samy wrote:
Is this good idea to send activation link with encrypted password
then encrypted password?
For what??
I recently started with Authlogic and it specifically uses a
specifically
generated temporary token for such so that it is not necessary to send
an
encrypted password or anything else. I think in general security wise if
you
are using encryption that you dont want a lot of your encrypted data
floating around as given a large enough sample available publicaly
theoretically it could be possible to determine your encryption keys.
David
PS, this is the authlogic explanation. Their point is that the token
expires, as unless you put in other safeguards if the encrypted password
might be able to be used again, for security purposes it really should
be
reset. I think my prev explanation is probably highly unlikely.
http://rdoc.info/github/binarylogic/authlogic/master/Authlogic/ActsAsAuthentic/PerishableToken