[opencms-dev] Getting User Password without logging in

Joachim Arrasz info at arrasz.de
Thu Oct 19 16:00:42 CEST 2006


Thomas,

> you are right, the missing encryption or two way encryption for the
> password is not save.
> 
> For the webuser I don't see any Problems, but all people you has direct
> sql access to the database may get all passwords...

the only really good solution is to do it like mentioned before. if a
user lost it, reset it and send a mail with a temporary PWD to the
underlying eMail Address. After that he has to reset it and do a new
one. This has to be checked of an admin of the system. And if it is a
really save system you have to develop you have to use Encryption for
eMailing. OpenCms doesn't support this directly so you have to develop
this by yourself.

hth

Kind Regards

Achim

-- 
/**
 * Joachim Arrasz
 * Head of technical Research
 * Synyx GmbH & Co. KG --OpenCms Solution Provider--J2ME Solutions--
 * Karlstr. 68
 * 76137 Karlsruhe
 * phone  +49(0)721 66 48 79 32
 * fax    +49(0)721 66 48 877
 * eMail  joachim.arrasz at synyx.de
 * www    http://www.synyx.de
 */



More information about the opencms-dev mailing list