1

If a company sends me a new password via SMS/email because I clicked "forgot my password." Does that mean the company is not actually hashing my passwords?

Steve Dodier-Lazaro
  • 6,828
  • 29
  • 45

2 Answers2

8

If they are indeed sending you a new password (i.e.: a system-generated password other than the one you previously had) when you click 'forgot my password' then no, that doesn't mean they're not hashing passwords. They can have their forgot password function generate a password, hash it and store it in their database, and then (while it's still in memory) generate an email that includes the plaintext value.

Iszi
  • 27,027
  • 18
  • 99
  • 163
PwdRsch
  • 8,361
  • 1
  • 28
  • 35
1

I have not encountered a site that actually sends a new password in years. What they do is send a password reset link that expires fairly soon. The lengthy character string won't be brute-forced anytime in this universe but is simply matched (and expiry time checked) to allow you to enter a new password of your choosing. Good sites will do that on an SSL page.

An attacker would have to compromise either the outgoing mail from the site or your incoming mail, probably easier to go another route.

paul
  • 195
  • 1
  • 2
  • 1
    Some sites will generate a random password, send it to you via email and set a flag on your account that forces you to change your password on next login; similar to how an IT administrator would do if you forgot your user account password. – sleblanc Aug 15 '14 at 02:18