The Database Programmer: Advanced Table Design: Secure Password Resets

This may be useful in the database domain, but I don't think it applied to most web contexts.<p>Most web applications don't bother with database security - it muddles the logic and prevents things like pooling, scale, etc<p>For more traditional web apps - typically you have two sources accessing the database - the Web Application and the Administrators. Both of which have access to nearly everything anyway.<p>This might stop some malicious code from accessing the database improperly - but the fact is, if someone can manipulate the code you've already lost anyway (they could simply just capture the passwords at entry for example).

He's fighting the wrong battle.<p>He's sending the hash by email! And then working so hard at securing the wrong part of the process - with SSL of course, when email is not encrypted.

<i>The technique presented today makes full use of database server abilities to create a password reset system that is highly resistant to forgery, interception, and </i><i>evil-admin meddling</i><i>.</i><p>If you for a second honestly believe that this design will stop admins from being able to tamper with the process, you should be fired on sight.<p>If you are going to design a secure process, I'd say you should focus more on security outside your system, and worry less about keeping admins out. If you're an admin, you have full access, or the ability to give yourself the full access needed to tamper with this system.