forgotten password script

[LanceT]

I want to make it so that if a user forgets his password, an e-mail will be sent to him with a link to a form that allows him to change his password.

 

I kinda understand how to do this, but I'm worried about security. SO what's the most secure way to do this and if there's any code I could look at, that would be particularly helpful too.

[JasonLewis]

how can you be worried about secruity. just make the user enter there username and dispatch an email to the the email of the entered username containing there password with a message saying, if you didnt request your password please ignore this email.

[LanceT]

forgot to mention that the password is encrypted MD5 style, so I can't e-mail my users there password, but instead I have to create a form. This is how I've done it.

 

- I have a form that lets user enter their e-mail address.

- If this e-mail can be found in the database then I will send an e-mail to this address containing a page to reset their password. This url also contains a "key." EX - page.com/password_gen.php?generate=something&key=dsdsjdnsjdsd87ewew&username=theirusername

- Inserts the key number and the username into the database

- For the key I'm just using the MD5ed version of their current password.

- If the key matches the username, then they can change password, otherwise, echo an error message

 

Tell me if you think this is ok. Mainly, i'm using the MD5 version of their current password as a key, wonder if this poses any security risks.

 

Thanks.

[Schlo_50]

Well im 99% sure MD5 can't be cracked at all, so using it should be ok. Although i think you should use a secret question too, just to verify the user.

[obsidian]

The best way I've found to help with security in this sort of environment is to come up with some sort of encryption algorithm to match against. Use this algorithm to send them a code in their URL, and when they follow the link, double check the code provided against your algorithm to make sure they are using a valid link. Something like this works great:

<?php
// This function simply creates a code based on a provided string
function CreateCode($String) {
  // Create a salt unique to your site!!!
  $salt = "mY site is da b0mb!!1";
  $code = crypt($String, $salt);
  $code = substr(md5($code), 0, 20);
  return $code;
}

// Provide this URL for them to follow
function GenerateURL($username) {
  $code = CreateCode($username);
  $url = "http://www.mysite.com/newPassword.php?user=$username&code=$code";
}

// Then, when they visit the newPassword.php page, just check their code
// against your algorithm again
if (!isset($_GET['user']) || !isset($_GET['code'])) {
  // invalid attempt, redirect them
} else {
  $user = trim($_GET['user']);
  $code = trim($_GET['code']);
  if ($code == GetCode($user)) {
    // Valid URL, let them change their password
  } else {
    // Some sort of tampering going on. Don't allow a password change
  }
}
?>

 

Hope this helps.

[ted_chou12]

yeah, i dont believe thats very secured, since anyone can enter the link by accident, i suggest using

function generate_password($length= {
			$password = "";
			$possible = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
			$i = 0;
			while ( $i < $length ) {
				$char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
				$password .= $char;
				$i++;
			}
			return $password;
		}

		$password = generate_password($length=;

		$md5pass = md5($password);

this generates a random string consist of alphabets and numerics, store the generated string into the db and send them a copy(through email), this is much more secured.

Ted

[obsidian]

yeah, i dont believe thats very secured, since anyone can enter the link by accident, i suggest

 

What wouldn't be secured? I hope you're not referring to my suggestion ... look over it carefully. It's generating 20 character string based on encrypting the username with a pre-defined server-side salt that is then in turn encrypted via MD5. Unless the user knows your salt you are using for the encryption, there is no way they are going to be able to accidentally enter the link.

[JasonLewis]

i think ted was referring to the OP's suggestion obsidian. yours is a very clean way of doing it.

[ted_chou12]

sorry, i only read LanceT's first post, didnt look through the rest very carefully, so i was trying to come up with a solution to:

I want to make it so that if a user forgets his password, an e-mail will be sent to him with a link to a form that allows him to change his password

sorry for any misunderstanding.

Ted

[obsidian]

sorry for any misunderstanding.

 

No problem... just wanted to clarify

 

I agree with you, though. In my book, the best way would be to randomly generate a new password for the user, but in answer to the how of the OP, I came up with that code.