 Last week I said don't encrypt your passwords hash them and add a bit of soul And this was really good because I started to get a lot of feedback a lot of people said oh That was really cool the way you explain it. Of course. It was I explained it a lot of people suggested alternative techniques such as quantum cryptography and zero knowledge encryption and this is all great stuff One of the most common comments I got was what happens when a user forgets their password because it's hashed and so You can't send them their password And that's the whole point of it. You're not meant to send the user their password So what do you do when a user forgets their password normally I prefer approach a bit like this Okay, now if your company policy prohibits something like that which I have no idea why they would not want to go with it But you know HRR sometimes people resort to their Asking secret questions secret questions as such to answer things so they'll say oh you've forgotten your password What's your email address you put in your email address and say okay? What's your hair color and then you sit around thinking hmm? That's really secret isn't it all mothers made a name or day of birth And this is all things that anyone who's your friend on Facebook or not even your friend on Facebook Can find out so so there's not really a lot of value in that Gaining access back to an account which you've forgotten a password There are lots of different ways you can do this and I don't know why end up talking about passwords every time because there are so many different ways and schools of thoughts It's it's a raises a lot of controversy a lot of times, but this is the last time I'm going to be talking about passwords So if I ever make another video about passwords You know feel free to buy me a lemon cake. That's my weakness Lemon cakes. Yeah, I they're like torture to me Or crispy cream donuts. So what you could do this is Get a user to enter the email address and say I've forgotten my password and then email them a tokenized URL now Don't display anything on the screen saying that this is valid or not valid Even if it's a wrong password because you don't want someone going through and harvesting and finding out what? legitimate emails and user IDs so always send a response even if the response is like You're wrong and Then said it so that it expires within a set period of time one hour to three hours or something like that And make it so that it's only one time only so I want to use a clicks on it You go to it and just reset your password using the standard reset function that's built into your application which should be secure as opposed to a new function and then Allow the user to change the password that way and then log in using the new password and once they've done this Email them a confirmation saying you asked for a password reset and here you've successfully changed your password And if it was not you that requested this password reset, then call up the help desk and we'll go Medieval on somebody well, no, they're probably just suspend the account and Let you reset it again just to end up and like I said, this is probably going to hopefully the last time I'm going to be talking about passwords because I get shot down a lot every time I talk about passwords And security is more than just passwords by it's that big element from a user perspective is Passwords are dead. Yeah, you shouldn't be talking about passwords. Anyway, two-factor authentication is the way to go now that's an interesting theory because passwords really aren't dead and they're not going to be dead why because From a security perspective, yes, we might say yet they're weak Users are prone to forgetting them. There's issues around the safe secure storage the transmission and bloody bloody blah Passwords are very weak. They're a relic. They're thing of the past. They're the mummies. They're the goons They're like the dodo. They gain the way of the dinosaur and we can say all of that and security I think no one who's really keen about security will disagree with it. However Passwords are used to secure applications that are run by a business and these are generally a business decision Businesses aren't interested in making their apps 100% secure They just want to make it secure enough and convenient enough so that their customers can log in and Conduct the business and generate their money If they started implementing 2FA or biometrics and everything into everything, okay They might be more secure, but they're probably going to alienate a lot of customers to start off with okay You could argue okay. They'll be a learning curve and eventually everyone will come to But the other big thing is that it costs a lot of money Passwords are really cheap to maintain you can have a web app and a database and something built into it that handles your Password securely or insecurely, but it's very quick and simple and you can get it up and running you implement 2FA Even if it's not a totally you either have to buy a tokens to configure it Send it out to the user make sure the user doesn't lose it manage it like that or You even if it's like a soft token, so they it's a software they install of their Mobile phone or something it's still another layer of cost and licensing and administration And if that if you run a website that that you know use log user sign up to and then never bother coming back to That's a lot of tokens you've issued and set up that no one's ever going to use again So until there's a strong business case Businesses aren't going to be away from there And that's how They're going to stay secure my friends