DeepSeek ๐ค Posted August 19, 2009 Share Posted August 19, 2009 I've set up a forum with a login that uses encryption.ย But how do you send people a password reminder when they have forgotten their password? Quote Link to comment https://forums.phpfreaks.com/topic/171058-how-do-you-get-the-encrypted-password-to-send-password-reminder/ Share on other sites More sharing options...
DeepSeek ๐ค Posted August 19, 2009 Share Posted August 19, 2009 Logic! You have a username field, a password field and an email field. ย Do a SQL query for the relevant information, SELECT password,email FROM users WHERE username = '$username' for example ย Pull that information from the database and do a email form. ย ย That's the logic I'd use, obviously adding a few more things. Quote Link to comment https://forums.phpfreaks.com/topic/171058-how-do-you-get-the-encrypted-password-to-send-password-reminder/#findComment-902162 Share on other sites More sharing options...
Gemini ๐ค Posted August 19, 2009 Share Posted August 19, 2009 During registration, have the user input a password reminder. Quote Link to comment https://forums.phpfreaks.com/topic/171058-how-do-you-get-the-encrypted-password-to-send-password-reminder/#findComment-902163 Share on other sites More sharing options...
DeepSeek ๐ค Posted August 19, 2009 Author Share Posted August 19, 2009 That is what I did try, but the password in the database is encrypted so I get something like this: ย &H9&G7g9&er5h3YOgh3hhsbbHBSBBIUgyo ย instead of the password ย the password is verified by encrypting the password they enter and matching it to the encrypted password.ย But this doesn't unencrypt it, so I can't use the same method to get the password to send it to the user. ย ย Quote Link to comment https://forums.phpfreaks.com/topic/171058-how-do-you-get-the-encrypted-password-to-send-password-reminder/#findComment-902176 Share on other sites More sharing options...
DeepSeek ๐ค Posted August 19, 2009 Author Share Posted August 19, 2009 Is it necessary to use encryption for a user forum password? Quote Link to comment https://forums.phpfreaks.com/topic/171058-how-do-you-get-the-encrypted-password-to-send-password-reminder/#findComment-902178 Share on other sites More sharing options...
Perplexity ๐ค Posted August 20, 2009 Share Posted August 20, 2009 Are you hashing the password or encrypting it?ย There is a BIG difference between the two. ย Hashing is one way and irreversible.ย Once hashed, you can never know what the original value was.ย md5() and sha1() are examples of hashes. ย Encryption is a two-way street.ย Values are encrypted, using a key, to produce random garbage.ย If you have the random garbage (or encrypted value) and the secret key, you can decrypt back to the original value. ย If you wrote this code in the first place and are using encryption, then you would probably know how to decrypt it as well. ย But since you're confused and having trouble, I'm guessing you've used a hash. ย In that case, what you can do is add a column to the users table: alter table `users` add column `invite_key` varchar(40) null default null; alter table `users` add column `invite_expiration_tm` timestamp null default null; ย When someone has lost their password, do the following: 1) Generate a unique 40 character string, something like: $invite_key = sha1( date('YmdHis') . 'r4nd0ms4l7' . $username ); 2) Update the user's row with $invite_key and the current time plus an offset, like 12 hours (something like [i]set invite_expiration_tm=now() + '12 hours') 3) Send the user an e-mail with a URL containing the invite key http://www.yoursite.com/invite_user.php?user=theUsername&key=19291fla91lofjaJsadlfjaweo!92387asldfjalfj 4) invite_user.php should attempt to look up the $_GET['user'] containing $_GET['key'] within the allotted amount of time. ย a) If invalid, send to error page ย b) If valid ย ย i) log user in ย ย ii) Update the database and set invite_key=NULL and invite_expiration_tm=NULL ย ย iii) Redirect user to change password page Quote Link to comment https://forums.phpfreaks.com/topic/171058-how-do-you-get-the-encrypted-password-to-send-password-reminder/#findComment-902204 Share on other sites More sharing options...
Perplexity ๐ค Posted August 20, 2009 Share Posted August 20, 2009 As added security, your page that sends the e-mail can also set a cookie on the user's machine. ย Then invite_user.php can check for the cookie as well to make sure the agent following the URL in the e-mail is the one that originated the request. Quote Link to comment https://forums.phpfreaks.com/topic/171058-how-do-you-get-the-encrypted-password-to-send-password-reminder/#findComment-902205 Share on other sites More sharing options...
DeepSeek ๐ค Posted August 20, 2009 Author Share Posted August 20, 2009 Thanks a lot for typing all that out, I was using a hash and not encryption.ย I think I will try and use encryption if it is not as much hassle as doing what you have suggested because I am lazy. ย This password encryption is to protect users on a forum from having their passwords stolen.ย It is just a general forum no personal details are stored.ย I am the only person who accesses the database.ย ย Is there any need for me to encrypt the password?ย I can only see that it would need protecting by encryption if other people had access to the database and it contained personal details.ย ย Quote Link to comment https://forums.phpfreaks.com/topic/171058-how-do-you-get-the-encrypted-password-to-send-password-reminder/#findComment-902449 Share on other sites More sharing options...
Mistral ๐ค Posted August 20, 2009 Share Posted August 20, 2009 I've always used the hashing algorithms to store passwords, then getting users to eneter new passwrods upon forgetting there old ones. ย This password encryption is to protect users on a forum from having their passwords stolen.ย It is just a general forum no personal details are stored.ย I am the only person who accesses the database. ย Is there any need for me to encrypt the password?ย I can only see that it would need protecting by encryption if other people had access to the database and it contained personal details.ย ย You may find (and I do it too) that many users use the same password for 2 / 3 /all there website registrations - so if someone got access to your database (SQL Injection or something) they could get all your users passwords then have higher chances of getting more vital information (as they would have email + password) that may be the same as something like there paypal login details, etc. ย The same could be said if you used basic encryption/decryption in PHP / MySQL without the use of salts. Although your passwords would be encryptedย - it wouldn't take long to decrypt them. ย I would stick with md5/sha hashes (although sha is stronger) ย Mark Willis Quote Link to comment https://forums.phpfreaks.com/topic/171058-how-do-you-get-the-encrypted-password-to-send-password-reminder/#findComment-902451 Share on other sites More sharing options...
Merlin ๐ค Posted August 20, 2009 Share Posted August 20, 2009 Thanks a lot for typing all that out, I was using a hash and not encryption.ย I think I will try and use encryption if it is not as much hassle as doing what you have suggested because I am lazy. Rather than use encryption and decrypt to tell them what their old password was if they've forgotten it, do what most sites do: on a request for a forgotten password, reset the password to a new (random) value, and e-mail them that, then force them to reset it to a new password of their choice when they next login. Quote Link to comment https://forums.phpfreaks.com/topic/171058-how-do-you-get-the-encrypted-password-to-send-password-reminder/#findComment-902566 Share on other sites More sharing options...
Mistral ๐ค Posted August 20, 2009 Share Posted August 20, 2009 roopurt18, I have lived in that knowledge sha1 is encryption and not hash, have I been wrong? Quote Link to comment https://forums.phpfreaks.com/topic/171058-how-do-you-get-the-encrypted-password-to-send-password-reminder/#findComment-902611 Share on other sites More sharing options...
Perplexity ๐ค Posted August 20, 2009 Share Posted August 20, 2009 From the manual: http://us2.php.net/manual/en/function.sha1.php Calculates the sha1 hash of str using the ยป US Secure Hash Algorithm 1. Quote Link to comment https://forums.phpfreaks.com/topic/171058-how-do-you-get-the-encrypted-password-to-send-password-reminder/#findComment-902681 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.