If you salt & hash a pw in a db, should you also do so for the response to the challenge question used during a temporary pw generation?
Thanks,
JDelage
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
If you salt & hash a pw in a db, should you also do so for the response to the challenge question used during a temporary pw generation?
Thanks,
JDelage
It depends on what you want to do with the stored response. If you only want to compare it exactly to the response supplied by the user, storing it as a salted hash will be fine and is highly recommended.
But if you allow an answer that is almost correct (e.g. case-sensitivity or missed whitespaces), you will need the original string for comparison. Also if you have a helpdesk that supports users resetting their password, you might want them to be able to compare the answers. In such cases you will need the original string, the hash is useless. Your decision depends on what you might need the original string for during the password reset process.
In case you cannot avoid storing the information in clear text, you should enforce additional restrictions to password resets like a validated email address to send an authorization link to, before the password can be changed.