The problem is not Facebook’s. They’re just using a common bit of code to help the user find their contacts.
That’s interesting, because Facebook uses images with one-hour expiration tags to prevent anyone from screen-scraping their contacts. Which is exactly what they do to other services…
http://www.25hoursaday.com/weblog/2007/08/21/FacebookTheSocialGraphRoachMotel.aspx
How do you avoid storing a password in plaintext when a password-recovery-service is required?
Why do we have to email the current password to the user? We can simply reset the user’s password, and let them change it after they log in.
if the salt is random, how do we reliably generate the same salt value
I was confused about this as well. You store the hash of the random, long salt in the user table right next to the hash of the password. It’s not a secret, so you don’t have to hide it.