lost password with MD5

[Shadowing]

Since I cant undo the MD5 is it safe to say record their password again with out MD5 in the data base and use that to mail them their password if they forgot it?

[freelance84]

 

Its better if they have lost or forgot their password to get them to create a new one, or create a new one for them and send them that

[xyph]

Check the article in my signature. You should read and understand the entire thing before trying to store passwords.

 

It has a section on password resetting.

 

Never store passwords in plain text.

[Shadowing]

There is so much to PHP lol

 

ive just scratch the surface on how to use functions

how do I echo this correctly

or better yet how do I store the password from it so i can email it

wanted to echo it first to make sure it works

sorry im really trying to learn this if someone could help me out. I finally got the hang of writing strings on my own  though

<?php

function rand_passwd( $length = 8, $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' ) 
                {     return substr( str_shuffle( $chars ), 0, $length ); } 


                echo "The password is ";rand_passwd();


?>

 

 

I'll check your article out xyph. I spent a while getting my script to mail my password out then i realize i couldnt get rid of the MD5 haha

[Shadowing]

alright i figured out how to echo it

 

Now i need to figure out how to generate it and store, mail it then md5 it into my data base.

 

Im guessing the best way to do this is to generate and save to a Session? then use that to do everything else

[scootstah]

The general idea is to have them enter their email into a password reset form. Your script will generate a random token, store it in their users table, and then email it to the email they entered. They will be given a link to follow that has the token in it. If the token matches that of the one you stored in the database, they will be able to create a new password. The token must be random and unique.

[Shadowing]

oh so i shouldnt md5 and replace their password with the generated one until they click on the link with the token

i didnt even realize thats how those links worked. didnt you know you could store data in a link and not be part of the dir of the link

 

that would be easier to do

 

I think i can write the script to do it where the random password is emailed to them and then they use that to log in and it replaces and their current password.

 

but creating a link like that with the token i'll have to find a tutor online helping with that

[jcbones]

You never overwrite their password before getting confirmation from their email, otherwise someone could spam your forgotten password form with random emails and lock out every user you have (until they check their email).

 

For the links, you need to look at the _GET array HERE.

For the tokens, you could create a function to generate a random string of characters, coupled with the current time:

Example Only

<?php
function randomToken() {
$str = 'aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ0123456789'; //random string of letters and numbers.
$token = NULL; //set the variable.
for($i=0;$i<50;$i++) { //loop 50 times.
$token .= $str[mt_rand(0,(strlen($str)-1))]; //add a random letter from the string to our token variable.
}
return sha1($token) . time(); //hash the result, then add the time to the end of it.
}
?>

 

NOTE: Do not use md5, sha1, sha256 for password storage, even the manual suggests against that. read about it

 

[Shadowing]

idk I read a ton of online tutors, its way over my head.

 

i think i'll just store the password for now then when my site goes live come up with a lock out

 

a attacker cant see my passwords unless they gain admin access right?