Jump to content

[SOLVED] Forgot Password Reminder - MD5?

wwfc_barmy_army

By wwfc_barmy_army
in PHP Coding Help

 Share

Recommended Posts

wwfc_barmy_army Regular Member

wwfc_barmy_army

Posted
Posted

Hello.

 

I've got a field for a password in my database which is encrypted using the MD5 when the password is first set, but i would like some kind of password reminder, or reset, although i am unsure how i could go about it. I am aware that MD5 encyption is a one way thing and cannot be decrypted, so i don't think i'll be able to work with a reminder, but some kind of password reset might work.

 

Any suggestions/examples/pieces of code?

 

Thanks.

 

Link to comment
https://forums.phpfreaks.com/topic/75363-solved-forgot-password-reminder-md5/
Share on other sites
cooldude832 Advanced Member

cooldude832

Posted
Posted

A few ideas depending on your  prefs on security.

 

Case 1:

Make a secondary table of non-md5ed passwords with a one way encrypted userids.  Semi-insecure, but gives you an ability to recover passwords without resetting. (i.e $q1 = "select UserID from `Main_users` Where Email/Username = '".$_POST['userinput']."'";  then use that idin this secondary table)

 

Case 2:

Don't store, if you forget you generate a random string and make that the new pasword, emailing it to the user.  Note great if you have forgetful users, but is more secure than case 1

 

Case 3:

Don't use md5 and use a salt with a two-way algorthim so they can be recovered.  Its more secure than 1, but if your algrothim is cracked you are dead in the water.

Wuhtzu Member

Wuhtzu

Posted
Posted

If the users are registered with an e-mail you can let the user ask for a password reset, then send an e-mail to the user which holds an "confirmation link" he/she has to click in order for the password to be reset and finally, if the password reset is confirmed reset the password to something and mail it to the user:

 

 

1: User clicks "Forgotten password?" and learns about the reset feature.

2: User clicks "Reset my password"

3: You send an e-mail containing an confirmation link to the users e-mail

4: User clicks the confirmation link in the e-mail, confirming he wants the password reset (this is to prevent morons from resetting other peoples passwords)

5: You receive the confirmation, generates a random 8 char long password, md5() encrypts it, stores it in your DB and mail the plain text password to the user

6: User can now login again and set a proper password

 

That what I would do.

eagleweb Newbie

eagleweb

Posted
Posted

Wuhtzu is right.

If you are not worried about #4 above though and want the user to have an immediate password, you could set up the "reset password" form to check the database for the email address of the user and send a random password to that email address. If the user types in an email address that is not in the database, he gets an error message instead.

It is immediate.

It only sends the new password to the email address on file

It enrypts it (md5) and inserts into the database

 

Only bad thing if it is concern, is that if I knew your email address, I could keep resetting it; but I could not retrieve it...only you could.

atlanta Member

atlanta

Posted
Posted

My suggestion is on the forgot password page select the user's email from the database have the script generate a random string then send this to the user in a email at the end of the script.. and allow them to reset the password with the correct random string entered!

GingerRobot Regular Member

GingerRobot

Posted
Posted

A few ideas depending on your  prefs on security.

 

Case 1:

Make a secondary table of non-md5ed passwords with a one way encrypted userids.  Semi-insecure, but gives you an ability to recover passwords without resetting. (i.e $q1 = "select UserID from `Main_users` Where Email/Username = '".$_POST['userinput']."'";  then use that idin this secondary table)

 

Case 2:

Don't store, if you forget you generate a random string and make that the new pasword, emailing it to the user.  Note great if you have forgetful users, but is more secure than case 1

 

Case 3:

Don't use md5 and use a salt with a two-way algorthim so they can be recovered.  Its more secure than 1, but if your algrothim is cracked you are dead in the water.

 

Personally i hate websites where the lost password function returns your original password. This is inherently more insecure than a hashed password which would not be retrievable.

 

I also dislike the idea of having my normal password stored in one of my emails - if i'm logged in to my email and someone were to read that email, they would have my actual password, rather than a random string that most lost password functions generate.

eagleweb Newbie

eagleweb

Posted
Posted

no matter how it is done, the owner of the email address gets an email if his/her email address is entered in the 'retrieve password' form. The difference is whether or not the password gets reset immediately or after he approves the change.

 

What you want the outcome to be is how you need to set up the form. You now have multiple ideas to choose from.

 

1. confirm that he wants password reset first

2. reset password with random string and send it to him

3. send him random string that can be used to reset the password

 

Next step is yours.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.