I am a member of another forum and forgot my password, so I clicked the "Forgot password" link and was told "fill this form out and we'll send you your lost password" or words to that effect. It occurred to me that I had never seen language like this and I figured that this was bad security. Normally you are sent a link to RESET your password. You are NOT sent your OLD password that you forgot. I've never been responsible for authenticating user's passwords, but my understanding is that you are not supposed to store the password on the server side, you are supposed to store a HASH of the password (or some salted version of it?), not the password itself, and thus they should not be able to give me back my password. If they can send me my password back, then they must have saved my password or are using a bad hash function, correct? Additionally, even if they could send me back my password, wouldn't they want to force me to change it because it may no longer be secure on my end? Why take that chance?

Just wanted to know if my understanding of this is correct and this is bad security policy on their end. I never actually filled out the form since I remembered my password before I started filling the form out and hitting "Send".

If some site actually sent you an email with the password that is indeed not a good thing since they should not have the in the clear password according to current thinking. Current thinking is to use one way encryption and compare the results. If they have your password in a database, "that's not good."

What has been acceptable is to send you a password that is good for only a few minutes. Current thinking on this is fluid.

Indeed, the standard way of saving passwords is to first salt and then hash them, saving only the hash. In the login process, re-salt the entered password, hash that, and compare with the saved hash.

Worth mentioning that MD5 which is a commonly used hash algorithm might not be the wisest choice.

As for lost password procedure what I have implemented in the past and is rather common would be to send an email with a retrieval link. The link would include the account identifier or email and a randomly generated UID which is stored in the database. Upon submiting that page I would compare the link's UID with the database UID for the link's account identifier, then generate a new UID to invalidate that link so it cannot be reused.

There is definitely other ways to go about this and anything would be considered better than emailing the current password in clear text! :P

Since I remembered my password before hitting the "Submit" button, I don't know whether I would have gotten an e-mailed password back or how they were going to "send" me my old password. But it should actually be impossible to send me my old password if they were doing things right, correct? I'm trying to elaborate on the "clear text" portion of your post. They could try to send it Pony Express or by carrier pigeon or snail mail or e-mail or whatever, it's all impossible because the only place my password would be saved would be on MY computer, so they can't send it in clear text or any other way because they don't have my old password to send, correct? If they CAN send it back, that means they screwed up somewhere, right?

I think we're talking the same language here, just trying to verify that.

You're right. If they are doing things right, they can't send you your old password.

Thanks guys. That's what I figured, just wanted to verify. Solved.