Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Generate secret code for password reset

Tags:

php

hash

one-time-password

I'm doing a module which allow users to reset password. I noticed how most websites they provide a confirmation link which contain query string that has a unique hash.

My question is: How can I generate this unique hash each time the same user request forgot password? Should I store this hash in database and use it for verification later on? Will it be safe? Or should I create some sort of algorithm which generate one-time password? How can I generate a OTP?

like image 776
chrizonline Avatar asked Aug 24 '10 15:08

chrizonline

People also ask

What is password reset poisoning?

Password reset poisoning is a technique whereby an attacker manipulates a vulnerable website into generating a password reset link pointing to a domain under their control. This behavior can be leveraged to steal the secret tokens required to reset arbitrary users' passwords and, ultimately, compromise their accounts.

How can I reset my security password?

Change your passwordUnder "Security," select Signing in to Google. Choose Password. You might need to sign in again. Enter your new password, then select Change Password.

How do I recover my Stepn account?

There are two ways to recovery lost authentication codes: * Use the QR code generated by doing an export. Obviously, this has to be done while one still has access to the old authenticator app. * Use the original site-specific QR codes to configure the new authenticator (assuming you saved them).

1 Answers

Yes, you should

  1. Generate a random reset token. See e.g. this answer.
  2. Store it in the database (possibly with an expiry time)
  3. Send e-mail to the user with the reset token.
  4. User visits the reset password page with the reset token in the query string.
  5. Check the database to see the user associated with the reset token and if the expiry time hasn't passed.
  6. If everything checks out, allow the user to reset the password and delete the reset token from the database.

There seems to be a lot a confusion about the generation of the reset token (or whatever you want to call it). Please read the answer I've linked to and don't reinvent the wheel with hashes and weak seeds.

like image 84
Artefacto Avatar answered Sep 18 '22 14:09

Artefacto
Sign in to Comment

Related questions

Sent mails with phpmailer don't go to "Sent" IMAP folder
how to hide the actual download folder location
Laravel : Calling functions defined in base_controller from view
Twig: How to round up?
PHP Fatal error: Can't inherit abstract function
What are the "standard" timezone abbreviations?
PHPUnit Assert True One (1)
Are there different types of double quotes in utf-8 (PHP, str_replace)?
Laravel 4 - Route::resource vs Route::controller. Which to use?
How do I insert multiple checkbox values into a table?
Detect changes when saving Laravel 4: Eloquent
How to get view data during unit testing in Laravel
How do I can post a multiple photos via Facebook API
PHP - Session destroy after closing browser
Using discriminator in a entity that extends another
Remove .php from URL
PhpStorm 2019.2 unused element in Symfony controller
PHP: __toString() and json_encode() not playing well together
Music Recognition and Signal Processing
Is it possible to detect a visitor's browsing history using JavaScript or PHP?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!