Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PHP password recovery

Tags:

php

passwords

I realize that for security that passwords should not be stored in a DB as plaintext. If I hash them, I can validate them for login purposes.

But if I want to set up a password recovery system, what's the best strategy since there is no undoing of the hashing?

Could someone give me a brief overview of a good and secure strategy for storing and recovering passwords?

like image 874
sehummel Avatar asked Jan 21 '11 20:01

sehummel

4 Answers

You can not recover password that were hashed, neither should you.

What you should do instead is:

  1. Put some verification on the password reset request, like CAPTCHA.
  2. Create an one-time random code and send a link with it to user's email.
  3. Have this code expire in, say, an hour.
  4. Have this code expire immediately once used.
  5. On the link with the code, if it validates, allow him to change his password.
  6. Notify him that the password was changed, but do not send it in the email.
like image 55
StasM Avatar answered Nov 15 '22 13:11

StasM

You don't 'recover' passwords. What you do is one of 2 things.

  1. Email the user a link to create a new password, overriding the current one
  2. Email the user a randomly generated password, then ask them to change it
like image 27
Rocket Hazmat Avatar answered Nov 15 '22 15:11

Rocket Hazmat

My process is as follows.

1. User initiates a forgotten password request

The user clicks a forgotten password link and then redirected to a reset password form where they are asked to enter their registered email address.

2. Email address verified and token generated

After the user has entered their email address, the system verifies that it exists in the database. If the email address is valid then a token is generated and stored in the database with the users credentials.

3. Send recovery email

An email is sent to the registered email address containing a link to a reset form, the link includes 2 GET parameters including the token and the users unique ID stored in the database.

4. Reset password

After the user clicks the link they are taken to the reset form. The system retrieves the 2 GET parameters from the URL and verifies they exist in the database. If the token is verified to exist in the database with the user then the user may be shown the reset password form fields to enter a new password.

Security

I suggest using BCrypt (available since PHP 5.3) to hash the passwords and for additional security, perhaps use some sort of expiration for the token so it can't be used after a period of time.

like image 41
TimD Avatar answered Nov 15 '22 13:11

TimD

You can create a new (and randomly generated) password for user, and md5 it , and then send user via email.

like image 22
Eray Avatar answered Nov 15 '22 13:11

Eray
Sign in to Comment

Related questions

Laravel collection sortBy not taking effect
How can I arrange numbers in this side-to-side pattern?
OO PHP explanation For a braindead n00b
PHP crop image to fix width and height without losing dimension ratio
Reading Geotag data from image in php
FOS/UserBundle: Unrecognized field: usernameCanonical
Access class constant and static method from string
Defining Application Constants in Codeigniter
CodeIgniter PDO database driver not working
Fatal error: Array callback has to contain indices 0 and 1
How to get rid of "Uncaught SoapFault exception: [Client] looks like we got no XML document in..." error
Becoming a professional PHP programmer. How? [closed]
extract filename from path [duplicate]
Encoding get_the_title() for Twitter share URL
Writing Array to File in php And getting the data
how can i remove "\n" in string in php? [duplicate]
print BASE64 coded image into a FPDF document
How can I code for multiple versions of PHP in the same file without error?
eloquent fetch records within recent 3 hours
Variable Scope Within PHP Class

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!