downah Posted June 20, 2012 Share Posted June 20, 2012 Hi guys, I just wanted some input on how to create a system to reset passwords for members, as I have recently learned to use salt and encryption I can not resend the password back to the user, so how would I go about if they lose their password? Reset their password for them automatically and send it to their email by putting in the email which their account is associated to? I would really appreciate some feedback on this, Jamie Quote Link to comment https://forums.phpfreaks.com/topic/264516-password-reset-i-am-confused/ Share on other sites More sharing options...
Jessica Posted June 20, 2012 Share Posted June 20, 2012 Step one: User enters their username OR email OR both. Step two: You generate a random key and store it with the current time in the database. Step three: You email the user a link like site.com/reset_password.php?key=hds743ydsaak (to their email you already have stored in the DB) Step four: That page asks the user for their username and the key (which can auto fill from the URL). Step five: If the key matches the username and it's not been too long (24 hours is generally plenty), then either: a. allow them to choose a new password b. Mail them a new password and they can change it after they login. Quote Link to comment https://forums.phpfreaks.com/topic/264516-password-reset-i-am-confused/#findComment-1355603 Share on other sites More sharing options...
mikhl Posted July 19, 2012 Share Posted July 19, 2012 What might be a good idea is to concatenate a number of the users details you have stored in the database, such as their birthday, email address, name, and maybe a preset string from you, then hash this. This will create a unique hash for the user. Send the user an email containing a link like: www.yoururl.com/reset_password?key=hashedvalue When the user clicks this or pasted it into the web bar a script will validate the hashed value and allow the user to select a new password or create a new one for them. This method means you don't have to store anything in the database. However, you cannot set an expiry date for this. Quote Link to comment https://forums.phpfreaks.com/topic/264516-password-reset-i-am-confused/#findComment-1362687 Share on other sites More sharing options...
Christian F. Posted July 28, 2012 Share Posted July 28, 2012 Remember to generate a new salt as well, for that little bit of added security. Quote Link to comment https://forums.phpfreaks.com/topic/264516-password-reset-i-am-confused/#findComment-1365104 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.