best way to handle a lost username/password

[webguync]

I need to come up with a better way to do this. Currently I have a script which is a form and the user enters their email address, and their password in the database is sent to the email address. Problem is the password is MD5 hashed, so it's hashed when sent to their email. I am sure there is a better way to do this. Also, I am capturing a Security Question and Answer in the initial profile form that the user fills out, so I need to incorporate this as an extra layer of security. Please let me know of the methods for doing this.

 

Thanks in advance!

[chronister]

Typically, passwords are hashed using a one way encryption. I don't use any "recover" lost passwords. I reset them. You generate a hash string and store it in the database with their user account after verifying their username and email address. Then you send an email to them with that string as a URL parameter. They click the link and it comes back to your site which validates the hash string and allows them to reset the password.

 

You can use the security question to validate them in the same steps as the username and email combination.

 

Nate

[webguync]

thanks, anyway you can post some code to get me started? I have done something similar for registration, but not for password recovery.

[Anti-Moronic]

If you can't take the above logic and do that in code by now I'd be a little worried.

 

This might help you a little more:

 

http://www.plus2net.com/php_tutorial/php_forgot_password.php

http://webforumz.com/php/8394-php-forgot-password-script.htm#post51618

 

Second being probably more helpful.

 

[chronister]

Yeah, to give you some code to get you started would be difficult because I have no idea what you have already. If you have done something similar for registration, meaning the generate a hash and email it and validate it on confirmation, then you have the process. Just do it again for this system.

[webguync]

well I know I need to do something like this, which is what I use to post the initial info after a passkey link is sent out to the email, and allow the membership. But can use some assistance as to what to change to send out temp password and then change password.

 

 

 

<?

// session_start(); 
//Print_r ($_SESSION);

include('config.php');

// Passkey t from link
$passkey=$_GET['passkey'];

$tbl_name1="Profile_temp";

// Retrieve data from table where row matches passkey
$sql1="SELECT * FROM $tbl_name1 WHERE confirm_code ='$passkey'";
$result1=mysql_query($sql1);


// If successfully queried
if($result1){

// Count how many row has this passkey
$count=mysql_num_rows($result1);

// if passkey is found retrieve info from temporary DB
if($count==1){

$rows=mysql_fetch_array($result1);
$FirstName=$rows['FirstName'];
$LastName=$rows['LastName'];
$UserName=$rows['UserName'];
$Password= md5($rows['Password']);
$Password2=md5($rows['Password2']);
$email=$rows['email'];
$Zip=$rows['Zip'];
$Birthday=$rows['Birthday'];
$Security=$rows['Security'];
$Security2=$rows['Security2'];

$tbl_name2="Profile";

// Insert data that retrieves from "temp_members_db" into table "registered_members"
$sql2="INSERT INTO $tbl_name2(`FirstName`,`LastName`,`Username`,`Password`,`Password2`,`email`,`Zip`,`Birthday`,`Security`,`Security2`) VALUES ('$FirstName','$LastName','$UserName','$Password','$Password2','$email','$Zip','$Birthday','$Security','$Security2')"; 
//echo $sql2;
$result2=mysql_query($sql2) or die(mysql_error());
}

// if passkey is not found, display message "Wrong Confirmation code"
else {
echo "<h2>Sorry, Your passkey was not found.</h2>";
}

$sql3="select * from $tbl_name2 where username = '$UserName'"; 
$result3=mysql_query($sql3) or die(mysql_error());
while ($row = mysql_fetch_assoc($result3)) {
    $_SESSION['id'] = $row['id'];
$_SESSION['FirstName']=$row['FirstName']; 
}



if($result3){

echo "<h3>Welcome $_SESSION['FirstName'] </h3>";


// Delete information of this user from table "temp_members_db" that has this passkey
$sql4="DELETE FROM $tbl_name1 WHERE confirm_code = '$passkey'";
$result4=mysql_query($sql4) or die(mysql_error());
$sql5="select * from $tbl_name2 where username = '$UserName'";
//echo $sql5;
$result5=mysql_query($sql5) or die(mysql_error());
if ($_REQUEST['error'] == 1){
     echo "Sorry, that user name already exist!";
 }
}
else {


}





?>

[jdavidbakr]

I usually generate a random password by just putting together a random string of characters, or using a substr() of md5(uniqid(rand())) for the new password.  Then just set the password to this new value (obviously the hash of it) and send them the new password in an e-mail.

[webguync]

thanks for the reply. Anyway you can post some code of what has worked for you?

[BlueSkyIS]

all you have to do is query the table for the usr entered. if there is more than 0 rows, the name is already taken. extremely basic PHP.

[jdavidbakr]

Not much to it

// Generate a new 7-character password
$new_password = substr(md5(uniqid(rand())),0,7);
// Get the md5 hash for the database
$new_password_hash = md5($new_password);
// Insert into the db
$statement = "update user set password = '$new_password_hash' where user_id = '$user_id'";
mysql_query($statement);
// E-mail password to user
mail($user_email,"Your password has been reset","Here is your new password: $new_password");