Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to implement a temporary password logic?

Tags:

passwords

I want to implement a logic similiar to what some of the websites do is they ask for your email address and send you a link on that mail address when you click on that link you are redirect to there home and given a temporary password which expires in a time limit and ask you for setting up your new password.

I am intersted in knowing the logic for generating temporary passwords, how to store them keep them safe and expire them after a period of time. I donot have any language preference. but i can understand java and php examples well. please suggest.

like image 919
sushil bharwani Avatar asked Oct 14 '22 22:10

sushil bharwani

1 Answers

One way would be to generate an MD5 hash of the user info provided to use as the password.

$name = "sushil bharwani";
$email = "[email protected]";
$pass = md5($name . $email);

Which would get you a string such as 1f3870be274f6c49b3e31a0c6728957f. Because the MD5 function will always create the same output from a given input, it's theoretically possible that someone who knew you were registering, what fields were required and what you'd most likely put in them, they could guess the MD5 hash that would be sent to you. This could be alleviated by adding a random number to the input to md5, but unless you work for a covert government agency it's unlikely anyone would care enough to attempt this anyway.

If you wanted to be more secure, you could generate a public/private key pair, storing the public one in your database and sending the private one in the email. The private key cannot be guessed other than by brute-force, so in that respect it would be more secure. But because you're sending it through email, which is completely insecure, it's not likely to be a very big security gain.

Also keep in mind that either method of generating password will be generating something far harder to guess that what the users themselves are going to choose for passwords, so worrying about it too much is probably a waste of energy.

As for the temporary part, just use a timestamp to record when the password was created and use a cronjob to delete any older than x days that haven't been changed.

like image 97
Brad Mace Avatar answered Oct 26 '22 23:10

Brad Mace
Sign in to Comment

Related questions

How do I change stored passwords in Android Studio?
ASP.NET Membership - keep users to use previous passwords
How are secure database connections usually implemented in JAR files?
PHP: How to hide the password for database connection/email connection statement?
Forbid access to files in a simple PHP login system
How can I restrict access to our website through .htaccess in cpanel?
php password_verify not working with database [duplicate]
What are the best rules to follow for what characters to allow in a password?
How to disable MySQL root logins when no password is supplied?
How can a password input be done in python with printing an asterisk for every character of the user?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!