Password Reset - I am confused

[downah]

Hi guys,

 

I just wanted some input on how to create a system to reset passwords for members, as I have recently learned to use salt and encryption I can not resend the password back to the user, so how would I go about if they lose their password? Reset their password for them automatically and send it to their email by putting in the email which their account is associated to?

 

I would really appreciate some feedback on this,

 

Jamie

[Jessica]

Step one: User enters their username OR email OR both.

Step two: You generate a random key and store it with the current time in the database.

Step three: You email the user a link like site.com/reset_password.php?key=hds743ydsaak (to their email you already have stored in the DB)

Step four: That page asks the user for their username and the key (which can auto fill from the URL).

Step five: If the key matches the username and it's not been too long (24 hours is generally plenty), then either:

a. allow them to choose a new password

b. Mail them a new password and they can change it after they login.

[mikhl]

What might be a good idea is to concatenate a number of the users details you have stored in the database, such as their birthday, email address, name, and maybe a preset string from you, then hash this. This will create a unique hash for the user. Send the user an email containing a link like:

 

www.yoururl.com/reset_password?key=hashedvalue

 

When the user clicks this or pasted it into the web bar a script will validate the hashed value and allow the user to select a new password or create a new one for them. This method means you don't have to store anything in the database. However, you cannot set an expiry date for this.

[Christian F.]

Remember to generate a new salt as well, for that little bit of added security.