How do you get the encrypted password to send password reminder.

[heldenbrau]

I've set up a forum with a login that uses encryption.  But how do you send people a password reminder when they have forgotten their password?

[pengu]

Logic!

You have a username field, a password field and an email field.

 

Do a SQL query for the relevant information, SELECT password,email FROM users WHERE username = '$username' for example

 

Pull that information from the database and do a email form.

 

 

That's the logic I'd use, obviously adding a few more things.

[will35010]

During registration, have the user input a password reminder.

[heldenbrau]

That is what I did try, but the password in the database is encrypted so I get something like this:

 

&H9&G7g9&er5h3YOgh3hhsbbHBSBBIUgyo

 

instead of the password

 

the password is verified by encrypting the password they enter and matching it to the encrypted password.  But this doesn't unencrypt it, so I can't use the same method to get the password to send it to the user.

 

 

[heldenbrau]

Is it necessary to use encryption for a user forum password?

[roopurt18]

Are you hashing the password or encrypting it?  There is a BIG difference between the two.

 

Hashing is one way and irreversible.  Once hashed, you can never know what the original value was.  md5() and sha1() are examples of hashes.

 

Encryption is a two-way street.  Values are encrypted, using a key, to produce random garbage.  If you have the random garbage (or encrypted value) and the secret key, you can decrypt back to the original value.

 

If you wrote this code in the first place and are using encryption, then you would probably know how to decrypt it as well.

 

But since you're confused and having trouble, I'm guessing you've used a hash.

 

In that case, what you can do is add a column to the users table:

alter table `users` add column `invite_key` varchar(40) null default null;
alter table `users` add column `invite_expiration_tm` timestamp null default null;

 

When someone has lost their password, do the following:

1) Generate a unique 40 character string, something like:
$invite_key = sha1( date('YmdHis') . 'r4nd0ms4l7' . $username );
2) Update the user's row with $invite_key and the current time plus an offset, like 12 hours (something like [i]set invite_expiration_tm=now() + '12 hours')
3) Send the user an e-mail with a URL containing the invite key
http://www.yoursite.com/invite_user.php?user=theUsername&key=19291fla91lofjaJsadlfjaweo!92387asldfjalfj
4) invite_user.php should attempt to look up the $_GET['user'] containing $_GET['key'] within the allotted amount of time.
  a) If invalid, send to error page
  b) If valid
    i) log user in
    ii) Update the database and set invite_key=NULL and invite_expiration_tm=NULL
    iii) Redirect user to change password page

[roopurt18]

As added security, your page that sends the e-mail can also set a cookie on the user's machine.

 

Then invite_user.php can check for the cookie as well to make sure the agent following the URL in the e-mail is the one that originated the request.

[heldenbrau]

Thanks a lot for typing all that out, I was using a hash and not encryption.  I think I will try and use encryption if it is not as much hassle as doing what you have suggested because I am lazy.

 

This password encryption is to protect users on a forum from having their passwords stolen.  It is just a general forum no personal details are stored.  I am the only person who accesses the database. 

 

Is there any need for me to encrypt the password?  I can only see that it would need protecting by encryption if other people had access to the database and it contained personal details.   

[markwillis82]

I've always used the hashing algorithms to store passwords, then getting users to eneter new passwrods upon forgetting there old ones.

 

This password encryption is to protect users on a forum from having their passwords stolen.  It is just a general forum no personal details are stored.  I am the only person who accesses the database.

 

Is there any need for me to encrypt the password?  I can only see that it would need protecting by encryption if other people had access to the database and it contained personal details. 

 

You may find (and I do it too) that many users use the same password for 2 / 3 /all there website registrations - so if someone got access to your database (SQL Injection or something) they could get all your users passwords then have higher chances of getting more vital information (as they would have email + password) that may be the same as something like there paypal login details, etc.

 

The same could be said if you used basic encryption/decryption in PHP / MySQL without the use of salts. Although your passwords would be encrypted  - it wouldn't take long to decrypt them.

 

I would stick with md5/sha hashes (although sha is stronger)

 

Mark Willis

[Mark Baker]

Thanks a lot for typing all that out, I was using a hash and not encryption.  I think I will try and use encryption if it is not as much hassle as doing what you have suggested because I am lazy.

Rather than use encryption and decrypt to tell them what their old password was if they've forgotten it, do what most sites do: on a request for a forgotten password, reset the password to a new (random) value, and e-mail them that, then force them to reset it to a new password of their choice when they next login.

[TeNDoLLA]

roopurt18, I have lived in that knowledge sha1 is encryption and not hash, have I been wrong?

[roopurt18]

From the manual:

http://us2.php.net/manual/en/function.sha1.php

Calculates the sha1 hash of str using the » US Secure Hash Algorithm 1.