Does anyone know a good method for setting up a forgot password page? I am using MD5 as my password encryption now im kinda stumped to a secure way of reversing this
Whats the most common way? Is there any examples available on HS.com?
You're not suppose to be able to reverse the md5 encryption. It's meant for one way encryption. The only thing you can do is assign a new password. I guess the hard part is how to make this process a secure process.
I'd do it like this: The user requests a new password (because the user forgot their password) by giving their username. An email is sent to the email address of the username that was given, saying "Someone has requested a new password for _username_. To continue, go to: http://website.tld/forgot.php?code=3d4fke" The 3d4fke code is saved, so that when the user comes to the site again with that code (which is already in the url), a new password will finally be issued. There. Simple and secure.
1 - 1 - x392löxskeiw - 12345678901234567890123456789012
id user the auth pass...
Once they reqeust they forgot the password, it will set an auth code into the database, this will be for the link, you will pregenerate the password and email it to them, once they click the link the password will work... move the md5 over to the user table.. :-)
I know this is a bit late to bring this up, but I thought it would be interesting to note that you do not have to add an additional field for lost passwords. Instead, you can do it entirely with code if you prefer based on old hash and even automatically expiring.
For example:
PHP Code:
<?php
function generateLostPasswordHash($current_pass_hash)
{
// generate time based on day
$dayTime = mktime(0, 0, 0);
// generate lost password hash based on some hard coded phrase or key, current day's time, and current hash
$lostPassHash = md5("some random static key" . $dayTime . $current_pass_hash);
// return only portion of hash, starting at character 8 (position starts at 0) and providing 12 characters
return substr($lostPassHash, 7, 12);
}
/**
* $current_pass_hash = user's db pass hash
* $lost_pass_hash = 12 character has provided by user that we generated for them above
*/
function checkLostPasswordHash($current_pass_hash, $lost_pass_hash)
{
// generate time based on day
$dayTime = mktime(0, 0, 0);
// generate time based on yesterday (quick and dirty way... you could change this)
// 86400 = # seconds / day (60*60*24)
$yesterdayTime = $dayTime - 86400;
// generate pass hash based on today
$dayLostPassHash = substr(md5("some random static key" . $dayTime . $current_pass_hash), 7, 12);
// generate pass hash based on yesterday
$yesterdayLostPassHash = substr(md5("some random static key" . $yesterdayTime . $current_pass_hash), 7, 12);
// if user's pass hash matches today's or yesterday's hash
if ($lost_pass_hash == $dayLostPassHash || $lost_pass_hash == $yesterdayLostPassHash)
{
// let user choose new pass or whatever...
}
else
{
die("Lost Password Request Expired or Invalid.");
}
}
The method above is fairly secure. We generate a hash that automatically expires based on time (between 24-48 hours) without the need to store the generated hash into a database. In other words, we generate a hash based on old hash, time, and some static string. We then provide the user with a portion of that hash via email. We then validate the portion of the hash that the user provides by generating it on the server (again) using old hash, time, and some static string. By checking against two times (today / yesterday), you give the hash somewhere between 24-48 hours to be used (depending on server time when it was generated).
Anyway, I thought I would post it as it is a different approach.
To clarify MD5 is not an encryption method, its a hash so there is no going back once you reverse it. IMHO you should have the forgot password button do the following:
- user clicks i forgot password
- enters their username and/or/maybe email
- gets emailed a link
- on the page gets to reset the password
you'll need a database or something to keep track of valid links. also would suggest a timeout period.
__________________
there are 10 types of people in the world, those who know binary and those who dont
Linear Mode
