Jump to content

Recommended Posts

I'm writting a lost password script. This is how it's going to work...

 

  • A user has lost their password...
  • Go to the lost password page
  • enter the email address assigned to the account (also used for logging in)
  • submit form....
  • email matched against database
  • once found new 8 character random pass is generated
  • password encrypted and updated in database
  • password sent to user via email

 

Now I've done this before and am fine doing it, my only question is, is there more I can do for security other than going down the security question route (which I'm not going to).

 

Link to comment
https://forums.phpfreaks.com/topic/143708-lost-password/
Share on other sites

Other than using a captcha, request throttling, or some other means to prevent email guessing (some people do it just to be mean), I'm not aware of any methods other than security questions that would work.. that's not to say there aren't other routes to take, just not any I've ever used or encountered.

Link to comment
https://forums.phpfreaks.com/topic/143708-lost-password/#findComment-754020
Share on other sites

Naw don't really need security questions, its a form of another password, usually easier to guess :/ since ou know the "topic" of the question.... especially if its stuff like "whats your dogs name"!? like wth!? lol.

 

Your current structure is fine, but i agree with genericnumber1: make sure people cant spam other email addresses. Once a request email has been sent say 3 times (email doesnt always arrive, every1 knows) - you should set a flag on the user profile showing that they need to log in with the new password before they can request another new password.

 

Which is basically limiting the password forget request emails, to 3. Until the owner of the account logs back in.

 

This would be extremely simple to implement, ou dont need any random q stuff. You should definietely have a way of entering a new password for themeselves or changing the current one in some "Account" Link.

 

my 2 cents :P. its what i would do. Inactive accounts i would delete after a some months.

Link to comment
https://forums.phpfreaks.com/topic/143708-lost-password/#findComment-754135
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.