Security Suggestion: Hashing
Good day,
First
of all, this is a nice forum. :) I still haven't got a
'check-daily-forum' for C#, but this one seems to fit, although it's a
little slow maybe.
I have one suggestion though, I noticed you
send a notification mail when eg. you change your account information,
or when you use the lost password thing or so. And in that mail you add
the password of the user.
Now this is something that always
annoyed me: since you can tell me my own password, that means my
password is stored somewhere on your servers. That's not how a service
is supposed to work, a service should only store the hash of the
password on the servers. That's the reason why many services can only
'reset' your password, instead of recovering it. This is not only safer with storing, but also sending the password when someone logs in, creates an account, ... Encpryption is certainly not enough, and doesn't fit for passwords anyway. Are you planning on
changing this?
Anyway, I hope this forum will get more active every day. :)