At the time of the account setup, you'll have the unencrypted and encrypted password. Send the email before it gets encrypted. Still, this is a little silly, since the email is unencrypted. I guess you could base64 encode the email, but that'd take an extra step. Oooh, what about this? Send an email that takes you to an https: page that only can be viewed by entering a valid code sent in another email? This https page, given the right code, will give you your username and password? The two separate emails provides a bit of obscurity, and the password is always encrypted. On the server side, if these accounts would only be accessed from certain IP blocks, you can block other requests. Peter On Fri, 15 Nov 2002, Aaron Wolski wrote: > My client is the one doing the setup of accounts. > > How would the account holder know of his password before it got > encrypted? > > Hense the email. > > Aaron > > -----Original Message----- > From: Peter Beckman [mailto:beckman@purplecow.com] > Sent: November 15, 2002 12:35 PM > To: Aaron Wolski > Cc: 'Jason Vincent'; php-db@lists.php.net > Subject: RE: Email Encryption? > > Why not encrypt the password in the DB? If they lose their password, it > cannot be sent to them. They chose it, so it doesn't need to be sent to > them in their email. If they lose it, it is changed, and they have to > change it again. That way, only if they are stupid do they have an > extra > step. > > The passwords in the DB are encrypted, so only if someone gets a hold of > the DB can the passwords be cracked by brute force. > > md5 would work fine for this. It is the same security that FreeBSD uses > in > their password file. > > Peter > > On Fri, 15 Nov 2002, Aaron Wolski wrote: > > > Well. > > > > Its not what they want.. it what one of their clients want (very big > > corporation with very unrealistic security standards - you'd think > they > > were NASA or something *grumble*) > > > > Their thought is that someone could hack the received email, login to > > the store using the publically displayed logins details and reek havoc > > on the store, etc. > > > > *shrugs* Sadly this isn't open for debate as a solutions IS required. > > > > Any thoughts? > > > > Aaron > > > > -----Original Message----- > > From: Jason Vincent [mailto:jayv@nortelnetworks.com] > > Sent: November 15, 2002 11:42 AM > > To: Aaron Wolski; php-db@lists.php.net > > Subject: RE: Email Encryption? > > > > Why email? If the Admin tool uses SSL, that is all you need. > > Regards, > > J > > > > -----Original Message----- > > From: Aaron Wolski [mailto:aaronjw@martekbiz.com] > > Sent: Friday, November 15, 2002 11:39 AM > > To: 'Aaron Wolski'; php-db@lists.php.net > > Subject: RE: Email Encryption? > > > > Just thinking here.. > > > > PGP is not an option as it would mean EACH user being setup would need > > the company's public key to decrypt. Not possible as they setup a few > > hundred accounts each month. > > Hmm.. anything else? > > Argh :( > > Aaron > > -----Original Message----- > > From: Aaron Wolski [mailto:aaronjw@martekbiz.com] > > Sent: November 15, 2002 11:36 AM > > To: php-db@lists.php.net > > Subject: Email Encryption? > > <OFFTOPIC> > > > > Sorry for the off topic guys.. > > > > But I've just been informed that an application we developed for a > > client whereby they use an Admin tool to setup user accounts into > their > > store needs to have the login (username and password) encrypted. > > > > I am thinking PGP for this but to be honest I've never really worked > > with PGP and wouldn't have the first clue. > > > > Does anyone have any experience with this or can offer and advise at > > all? > > > > Again, sorry for the OT discussion. > > > > Aaron > > > > -- > > PHP Database Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > ------------------------------------------------------------------------ > --- > Peter Beckman Systems Engineer, Fairfax Cable Access > Corporation > beckman@purplecow.com > http://www.purplecow.com/ > ------------------------------------------------------------------------ > --- > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > --------------------------------------------------------------------------- Peter Beckman Systems Engineer, Fairfax Cable Access Corporation beckman@purplecow.com http://www.purplecow.com/ --------------------------------------------------------------------------- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
