forgot password code

[davids701124]

I can get the email, but there is empty for $password.

is there anything i did wrong?

<?php
require('dbconnect.php');

$email = $_POST['email'];
$email = mysql_real_escape_string($email);
$table = "user";

$sql = "SELECT user_email FROM $table WHERE user_email = '$email'";
$result = mysql_query($sql);

//mysql_num_rows is counting table now
$count = mysql_num_rows($result);

//if the email is correct will be counted 1
if($count == 1){
	//send password to the user through email
	while(  $rows = mysql_fetch_array($result) ){
		$password = $row['user_pass'];
	}

	//send mail form
		//subject
		$subject="Your Password!!";

		// From
		$header="from: BabyTracker <your email>";

		// Your message
		$messages = "There is your password for login.\n Password is ".$password;

		// send email
		$sentmail = mail($email,$subject,$messages,$header);

		//if password form was sent successfully
		if($sentmail){
			echo "Your password has been sent to your email.";
		} else {
			echo "Sorry! We can't send password to you email box."."<BR>";
			echo "Contact us by phone.";
		}
} else {
	echo "Have you signed up? The system can't find your email?"."<BR>";
}	
?>

[Garethp]

        $password = $row['user_pass'];

 

should be $rows not $row

 

Also, the fact that you even store your passwords unhashed is a big security problem

[davids701124]

        $password = $row['user_pass'];

 

should be $rows not $row

 

Also, the fact that you even store your passwords unhashed is a big security problem

 

even i corrected the variable, it still print empty.

also for security problem, do u have any suggestion or wht should be the correct and good way to do.

[Garethp]

        $password = $row['user_pass'];

 

should be $rows not $row

 

Also, the fact that you even store your passwords unhashed is a big security problem

 

even i corrected the variable, it still print empty.

also for security problem, do u have any suggestion or wht should be the correct and good way to do.

 

Yes, md5 in, md5 out. And forget the forgotten password thing. The closest anyone should ever have is a security question to reset it

[otuatail]

even if you stored the password withou MDS (which you should)

 

$sql = "SELECT user_email FROM $table WHERE user_email = '$email'"; should have been

$sql = "SELECT user_pass FROM $table WHERE user_email = '$email'";

 

and having checked for only 1 instance ==1

Why have

 

while(  $rows = mysql_fetch_array($result) )

{

  $password = $row['user_pass'];

}

 

howmany passwords do you expect ?

 

I think everyone agrees that passwords should be MD5()

and can't then be emailed back. some form of re-setting a new password is better.

 

Desmond.

 

[mikesta707]

A lot of people are suggesting sha1 now adays, as MD5 has some collision problems, and is known to be less secure than MD5

[Garethp]

A lot of people are suggesting sha1 now adays, as MD5 has some collision problems, and is known to be less secure than MD5

 

How exactly does SHA1 and MD5 work? I understand that you can get collisions, but the chances aren't all that big. How does SHA1 differ?

[FaT3oYCG]

SHA1 is just a slightly different algorithm to MD5.

 

Reset password E-Mail's are not a good idea though as you then open the users account to vulnerability as the reset password may be randomly generated or reset to something that a brute force attack could penetrate.

 

A better solution would be to have a secret question as has been said. Even an E-Mail that sends the user's current password to them isn't secure and should not be done as they can be logged by host systems, a users password should be protected with sufficient security as according to the data protection act.

 

If a user forgets their password and can't remember the answer to their secret question then they should be forced to create a new account, old accounts should be deleted after a period of time with no use as according to the data protection act (don't hold data for longer than you need to) so multiple accounts should not be a problem.

 

If the user then remembers their password or secret question they should choose between an account and the unused account should be deleted also in compliance with the data protection act.

 

Basically don't use password reset E-Mail's I hope this information helped you .

 

Thanks,

 

Craig. 

[otuatail]

By reset password I meant by email. This is something I have done.

--------

First off you should ensure that the email address does not exist before inserting it. The chosen password should be hashed into the record.

 

$val = md5(“MyPassword”);

 

If they forget the password, they can  click a link ‘Forgot password’

This should check for the email address and tell user if it doesn’t exist ,otherwise you are sending them an email with details of how to create a new password.

 

An email is then sent with a link to create new password page, using the user name and the hashed value of the password. The user can now enter a new password and the system can update the record.

resetpassword.php?id=544a8108282a5cc89814526d954352ac // the old password hashed.

------------

Not only that. But my bank has a system. When you get your email you have to use the link within 24 hours

 

[FaT3oYCG]

Even sending the user an E-Mail with a link to a page to reset their password isn’t 100% safe but is one of the most reasonably accepted methods for data that can’t easily just have a new account created for such as a bank account, but it is still not 100% secure as I have said.

 

The most secure of systems would be completely self contained with no external sources for interception but it really depends what you are using your accounts for. If the account was simply for a website forum then sending password reset links should cover the sufficient protection clause in the data protection act.

 

That being said I wouldn’t think that any user that found any of this information out would be too happy that there is still a risk that you are taking with their data.

[otuatail]

I think that my solution is ok on this one. Sending an email to the person with an encripted md5 value as part of a link to reset the password with a new one should be ok. We don't beleve that we live in an ideal world. Even banks have been hacked with the latest microsoft windows version, but if the user where to type in something like mothers maiden name as part of the resetting a password and that is also md5(), I think that is good enough. If anyone thinks a better solution is required and can supply it here? I take security matters seriously and so do all members of this group. This is a think tank of minds isn't it. So letts find as better soulution to this possible security breach (if it is there) so we can work together on it. Maybe show William Gates a thing or two.

 

Desmond.

 

[mikesta707]

Meh, the security risk you are talking about isn't that drastic at all.. especially since the reset password system is pretty much standard with most websites out there. Hell, if it was that big of a deal, would giants like google, yahoo, microsoft, etc. use it? They use it with emails (which would cause much more harm is hacked into than some random website) So you'll be fine. Besides, in order to make use of this "vulnerability" you would most likely have to hack into their email account, and if some hacker has gone that far, than i think its safe to say that all is lost. And if a hacker has gotten into your email address, unless your site is one that takes bank information and stuff like that, I wouldn't worry about it. What is someone gonna do with your account? make you look bad?

 

Security question + secret answer + reset button is pretty safe in my opinion.

 

not to mention that there isn't anything that is 100% safe, and if there is, thats only because hackers haven't taken the time to expose a weakness yet

[otuatail]

Thanks that is what I thought (FaT3oYCG) thout it might be a problem and I for one would not want to give advice to anyone on this group that could be flawed in a security way. I do like the idea that my bank prevents the link from working after 24 hours. If you MD5 your mothers maiden name into the DB as well and they have to enter it when going to the link, that has to be secure. The only way around this is virus attack with key press checking but we can't be held responsible for everything a user does.

 

Desmond.