2

If a user forgets his login credentials for a web site, is it secure enough to send users credentials by sms?

Jon smith optional
  • 131
  • 1
  • 2
  • 5
  • 2
    You should never have user's password in a recoverable form... – 1615903 May 03 '13 at 09:48
  • i don't store user's password i only store user hash password. But if an user forget his userid,email i want to sent it by sms. Also if a user forget his password, i want to send him a reset code by sms. Then the user must write the reset code in a web form and chose a new password – Jon smith optional May 03 '13 at 09:51
  • The last comment just forced me to delete my response. Just make sure you have a way of notifying the user of the reset. I would personally keep 2 password hashes (old and new/temp), and let them authenticate against both for a small period afterwards to ensure the actual user hasn't been locked out due to forgetting to update his contact number on file. – David Houde May 03 '13 at 10:01
  • It's quite amazing how many large companies store user data in plaintext, and will actually SMS plaintext passwords to users in the event they are lost. Glad you are not following their example. – David Houde May 03 '13 at 10:02

1 Answers1

1

I wouldn't send his credentials via SMS, but perhaps a code that can be used to reset his password. Sending the password unencrypted back via sms is sometimes seen as a violation of privacy. (it shouldn't be possible to do the unencryption in a good setup)

Bulki
  • 111
  • 3