SitePoint Sponsor

User Tag List

Results 1 to 8 of 8

Thread: forgot password

  1. #1
    SitePoint Addict
    Join Date
    Sep 2006
    Posts
    238
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    forgot password

    Hello

    I am working on a forgot password script.
    When a user puts in their email address, a password will be emailed to them.

    The problem is all my passwords are md5 encrypted. When the email is sent, it gives them the encrypted password.

  2. #2
    From Italy with love silver trophybronze trophy
    guido2004's Avatar
    Join Date
    Sep 2004
    Posts
    9,500
    Mentioned
    163 Post(s)
    Tagged
    4 Thread(s)
    You don't send them their original password. You send them a randomly created one, which you store encrypted in the database.

  3. #3
    SitePoint Member qkey48's Avatar
    Join Date
    Jan 2012
    Posts
    11
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    yes, you should give them a temporary password for one time login access. After that they can restore their password.

  4. #4
    Non-Member Max Height's Avatar
    Join Date
    Dec 2011
    Posts
    303
    Mentioned
    6 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Jaynesh View Post
    I am working on a forgot password script.
    When a user puts in their email address, a password will be emailed to them.

    The problem is all my passwords are md5 encrypted. When the email is sent, it gives them the encrypted password.
    A more secure option is to create a new random password and set its hashed version (don't forget the salt) as the new password for the user account. Then send the unhashed version to the user in an email with an instruction to change their new password to something else when the next log in. When they next log in with their new password, prompt them to change their password to something else and don't let them do anything else until they have successfully done so. This way, "in theory", only the user gets to see the unhashed new password in their email.

    btw - if you google md5/sha1 hashing I think you'll find the general consnsus is that sha1 is a better hashing alogorithm than md5.

  5. #5
    SitePoint Member
    Join Date
    Nov 2012
    Location
    Dhaka
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can give a temporary password for one time uses

  6. #6
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,825
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Just one point that hasn't been mentioned - hashing is a one way process and it is not possible to work out what their original password was from the hash as there are millions of possible values that all produce the same hash. Of course they most likely used the shortest one but there's no reason why someone couldn't use the text of "war and peace" as their password if they didn't mind spending months each time to log in.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  7. #7
    SitePoint Guru bronze trophy
    Join Date
    Dec 2003
    Location
    Poland
    Posts
    930
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    When you generate the new temporary password don't forget that the old password should still work, too, as long as the user hasn't set the new password yet. The forgot password form could be used by anyone so someone might enter someone else's email address and send the form (either by mistake or intentionally). If the old password stopped working at that moment then the user the account belongs to will be blocked.

    Another approach would be to simply send a one-time link with a unique code that will enable the user to set a new password - so no need to generate a random password. The link would lead the user to a form where they can set the password. However, it's a good idea to make the link expire soon, for example after 24 hours.

  8. #8
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Dear Leo Tolstoy.

    The password you required has already been taken.

    Please choose another one.
    Damn, that took me 7 years ....


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •