…
3. Generate a link containing the hash and some other information needed to log in. DO NOT generate a new password; otherwise, knowledge of a user’s account name and e-mail address can be used by others to harass the user (or even deny him service if he’s lost control of or access to his registered e-mail account).
I only would sent a link with a generated random guid. Only when this link is clicked, a new password could be created on the landing-page.
The link is only allowed to work once.
And only once in 24 hours such a mail could be generated.
ps: i feel jeff doesn’t have a clue what’s wrong there, but he wants us to give him ideas for his latest project for cheap
Isn’t it possible that the email some random ‘new’ password?
Well, I guess you tested for that. Either way, that isn’t so obvious based on the screen shot. It could be that they just have the wrong verbiage on the button
I am going to create a site the requires a username and password - and I will not only store that info in clear text, I will make all passwords accessible to everyone. I am going to use ColdFusion. I will use a hash on user profile create/update for the view.
You’ve all made me very angry pretending that these things matter so much. When in reality - anyone using the same password for such things as their financial matters, personal email, as they do on facebook - in my opinion, deserves to be shamed.
Take the advise of our host and use passphrases instead - and if you have an account on Mensa - I would suggest using the following phrase: User Not Found.
You can get to the page in Jeff’s screenshot by going to: http://www.us.mensa.org//AM/Template.cfm?Section=Home
click Events
click Calendar
click the click here to log in (since it asks for log-in)
click forgot password on the login page.
see that the Event tab is highlighted? And in the sidebar Event and Calendar are bolded, just like in his screenshot.
As to what is wrong with this page. All assumptions about unencrypted passwords are not supported by concrete evidence. Unless you can show an email from them with at plain text password, you don’t really know. You can’t prove it. So let’s not go down that path.
I am very curious to know what is wrong with this page. Sometimes, it’s better to admit we don’t know if we can’t support our answer with absolute concrete evidence.
I am not quite sure why did you pick this particular topic today. If it is really because of how Mensa goes about treating its members’ passwords… well, it is not that interesting. However, if you posted this blog to get a bunch of your readers to poke fun at Mensa, then, my friend, you have done well.
A society of people who can do well at certain kind of standardized tests … yes, they are asking to be ridiculed. On top of it all, there is actually a membership fee. What? Being a brilliant test taker is not enough? I say Roland Berrill and Dr. Lancelot Ware were a couple of hustlers.
What if you’re an Americain Mensa member and you have changed your mail provider since you register with them 6 years ago ? No way to get your password !
This blog entry can’t be serious. Being a member of Mensa doesn’t mean you excel in everything. OMG, there are some Mensa members out there who can’t code a website! Who knows if the person who made the website is a Mensa member? I’ll shut up know and get a life.
a) on nowadays is common usage to strongly crypt passwords and optionally email addresses on database.
b) for password remembering processes is common usage (also nowadays) to check a security question then send a temporally link for password re-setting.
d) just checked gmail.com and they say they send me instructions on my secondary email (which I never provided to them). now It seems I have to wait 24h ! for having a security question to ask available to me !! http://mail.google.com/support/bin/answer.py?answer=46346