Secure PHP Forgotten Password Framework

Posted on 2009-05-19
Last Modified: 2013-12-12
Hi Guys

I have always wanted to get some advice on the best way to manage forgotten passwords, it would be great to hear your thoughts.

I want a user to input their domain name and receive the option to update their password in the most secure way possible.

I like the way facebook emails you a link to an update password page but i need to know what is going on behind the sceens as their URL contains a few additional values and im sure there are some additional security feature in there!!

Any suggestions on a workflow/ framework would be great!

Many thanks in advance

Question by:socross
  • 4
  • 2
LVL 108

Accepted Solution

Ray Paseur earned 500 total points
ID: 24424322
Client registration models probably have code samples and I do not have anything that is very secure.  For most of my apps, if someone forgets the password, I just look up their email address and send them the password!

Here is a general outline of a better-practices way to deal with this issue.

Client registration collects an email address, user name (UNIQUE) and a password.  You make a hash of the user name plus some random string and that becomes the user hash.  You make a hash of the password and that becomes the password hash.  You can use MD5 to make the hash, and there are other algorithms for hashing, too.

Processing login: Collect username or email address and password.  Hash the password.  Lookup the username or email address and the password hash in the data base.  Put a cookie on the browser with the user hash if you want to remember the user's login status.

Processing lost password:  Generate a new random password, store it in clear text and hash it into the password hash field.  Send client an email with the user hash in the GET string of the URL of the lost-password page.  When the client visits that page, give them the new random password and a link to the login page.  They can login and reset their password.

Processing reset password:  Form receives three fields - old password and two fields to choose and verify the new password.  Make a hash of the new password and update the client record.

To this structure you can add HTTPS, security questions, etc., but this has the basics.

HTH, ~Ray

Author Comment

ID: 24425303
Excellent advice,

1. So would this mean i could action a face book style request where the email link forwards to a password form and requests email and new password details?

2. With regards user hash and the password hash do you store both plain text and hash version of the password in the database? I currently only store a hashed version of the password.

The administration system is already hosted on a secure sever https.

Many thanks

LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 500 total points
ID: 24425393
1. You would not need to request the email on this form - you could, but it would be part of the record that is associated with the user hash so you could get it from the data base.  Since a hash is required to gain access to the page, it is very unlikely that anyone would access it at random.

2. Any passwords that are permanent should only be stored as a hash.  The temporary password can be stored in clear text so you can give it to the client on the "lost password" page.

You might also want to have a timer of some sort on the "lost password" functions.  If a lost password is not recovered in, say, an hour, the random password expires, too.  The client can always request a new one.

Good that you are using HTTPS.

Best regards, ~Ray
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.


Author Comment

ID: 24425509
Ok great

1. Is it a requirement to set the temporary password, the facebook process does not. What are the pros and cons.

2.Would i set the expiry of temporary values in the database? What steps are involved?

Many thanks

LVL 108

Expert Comment

by:Ray Paseur
ID: 24426021
1. No, it's probably not a requirement.  You could go either way, so long as there is a way for you to be fairly sure that the person changing a password is the owner of the account.  That's what security questions are all about.  If you are dealing with nuclear codes your security precautions are going to be greater than if you're dealing with facebook stuff.  This is mainly a matter of how you choose to program your application and any of several choices would be OK.

2. An expiry for a data base record would be handled by putting a DATETIME column into the row.  Your SELECT statement would add this to a WHERE clause.  Expired records would not be found.  Separately, a garbage collection script could delete the expired rows - maybe run this as a cron job once a week or so.

$exp = date('c', strtotime('+1 day'));

$sql = "UPDATE my_table SET my_expiry = '$exp' WHERE key = $key LIMIT 1";


$now = date('c');

$sql = SELECT * FROM my_table WHERE my_expiry > '$now' ";

Open in new window

LVL 108

Expert Comment

by:Ray Paseur
ID: 24426518
Thanks for the points, and good luck with it, ~Ray

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Consider the following scenario: You are working on a website and make something great - something that lets the server work with information submitted by your users. This could be anything, from a simple guestbook to a e-Money solution. But what…
Generating table dynamically is the most common issue faced by php developers.... So it seems there is a need of an article that explains the basic concept of generating tables dynamically. It just requires a basic knowledge of html and little maths…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now