If a company sends me a new password via SMS/email because I clicked "forgot my password." Does that mean the company is not actually hashing my passwords?
Asked
Active
Viewed 450 times
1
-
1@Xander No, it's completely different if the site sends a **new** password and not the existing one. – Gilles 'SO- stop being evil' Aug 14 '14 at 19:34
-
2@Gilles Yes, which both this question and the accepted answer on the other seem to be referring to. – Xander Aug 14 '14 at 19:38
-
@Xander Oops, I was misled by the title. But it's yet another different situation: sending the just-entered password, not a new password. Sure, the answers stem from the same principle, but it's not the same question. – Gilles 'SO- stop being evil' Aug 14 '14 at 19:40
2 Answers
8
If they are indeed sending you a new password (i.e.: a system-generated password other than the one you previously had) when you click 'forgot my password' then no, that doesn't mean they're not hashing passwords. They can have their forgot password function generate a password, hash it and store it in their database, and then (while it's still in memory) generate an email that includes the plaintext value.
1
I have not encountered a site that actually sends a new password in years. What they do is send a password reset link that expires fairly soon. The lengthy character string won't be brute-forced anytime in this universe but is simply matched (and expiry time checked) to allow you to enter a new password of your choosing. Good sites will do that on an SSL page.
An attacker would have to compromise either the outgoing mail from the site or your incoming mail, probably easier to go another route.
paul
- 195
- 1
- 2
-
1Some sites will generate a random password, send it to you via email and set a flag on your account that forces you to change your password on next login; similar to how an IT administrator would do if you forgot your user account password. – sleblanc Aug 15 '14 at 02:18