Jump to content

A forgot password script

DanielHardy

By DanielHardy
in PHP Coding Help

 Share

Recommended Posts

DanielHardy Member

DanielHardy

Posted
Posted

Hi,

 

I am looking for some general advice on whether this is good practice for a forgot password script.

 

Firstly when a user clicks "forgot password" they are taken to a page where they are asked to enter their email and their security question answer.

 

Upon success, a randomly generated password is created and sent in normal format in an email to users email, and stored in the database (overwriting their old password) in MD5 format.

 

Thanks in advance

 

Dan

Link to comment
https://forums.phpfreaks.com/topic/264042-a-forgot-password-script/
Share on other sites
abdfahim Advanced Member

abdfahim

Posted
Posted

I personally don't like this security question answer method (because I never could remember those of any of my web accounts). And if the security answer is is too straight forward, then there is no point of having it.

 

So what I did for my designed forums,

- when a user click on "forget password" link, it will ask for the email address.

- If email address matches, it will create a temporary key in database against that user and send a specific link with hashed (md5) key as argument to his email address.

- If he clicked on that link, it matches the key and then asked for a new password.

floridaflatlander Regular Member

floridaflatlander

Posted
Posted

Storing an MD5 hash isn't really that secure. You'd want to look at encrypting your passwords not just hashing.

 

I think he's talking about a key,

specific link with hashed (md5) key as argument
to his email address, not a password.
Mahngiel Member

Mahngiel

Posted
Posted

I personally don't like this security question answer method (because I never could remember those of any of my web accounts). And if the security answer is is too straight forward, then there is no point of having it.

 

So what I did for my designed forums,

- when a user click on "forget password" link, it will ask for the email address.

- If email address matches, it will create a temporary key in database against that user and send a specific link with hashed (md5) key as argument to his email address.

- If he clicked on that link, it matches the key and then asked for a new password.

 

Yea, I agree with this method.  I use the sesssion_id hash as the temporary key for the link and verification.  The key is stored in the user's activation column, where normally is a bool integer.

floridaflatlander Regular Member

floridaflatlander

Posted
Posted

.....  The key is stored in the user's activation column, where normally is a bool integer.

 

Mahngiel, do you have a time column to make the hash only usable within a certain time?

 

I've been toying with this in my mind but I'm not wanting to make another column for time.

abdfahim Advanced Member

abdfahim

Posted
Posted

Yea, I agree with this method.  I use the sesssion_id hash as the temporary key for the link and verification.  The key is stored in the user's activation column, where normally is a bool integer.

 

looks like we are on the exactly same page :) ....

 

.....  The key is stored in the user's activation column, where normally is a bool integer.

 

Mahngiel, do you have a time column to make the hash only usable within a certain time?

 

I've been toying with this in my mind but I'm not wanting to make another column for time.

 

you have 2 choice ... either insert another column in DB for time stamp, but I prefer to embed the expiration time stamp inside that key ......

Mahngiel Member

Mahngiel

Posted
Posted

but I prefer to embed the expiration time stamp inside that key ......

 

Interesting concept.

 

Mahngiel, do you have a time column to make the hash only usable within a certain time?

I'm not quite too sure what purpose this would serve.  There are other ways to determine if the the request was not malicious, and what would be the alternative on expiration?  Return the column to true?  IMO this just creates an exploit for scavengers.  No, I believe a reporting avenue would suffice this situne.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.