[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Secure PHP Forgotten Password Framework

Posted on 2009-05-19
Medium Priority
Last Modified: 2013-12-12
Hi Guys

I have always wanted to get some advice on the best way to manage forgotten passwords, it would be great to hear your thoughts.

I want a user to input their domain name and receive the option to update their password in the most secure way possible.

I like the way facebook emails you a link to an update password page but i need to know what is going on behind the sceens as their URL contains a few additional values and im sure there are some additional security feature in there!!

Any suggestions on a workflow/ framework would be great!

Many thanks in advance

Question by:socross
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
LVL 111

Accepted Solution

Ray Paseur earned 2000 total points
ID: 24424322
Client registration models probably have code samples and I do not have anything that is very secure.  For most of my apps, if someone forgets the password, I just look up their email address and send them the password!

Here is a general outline of a better-practices way to deal with this issue.

Client registration collects an email address, user name (UNIQUE) and a password.  You make a hash of the user name plus some random string and that becomes the user hash.  You make a hash of the password and that becomes the password hash.  You can use MD5 to make the hash, and there are other algorithms for hashing, too.

Processing login: Collect username or email address and password.  Hash the password.  Lookup the username or email address and the password hash in the data base.  Put a cookie on the browser with the user hash if you want to remember the user's login status.

Processing lost password:  Generate a new random password, store it in clear text and hash it into the password hash field.  Send client an email with the user hash in the GET string of the URL of the lost-password page.  When the client visits that page, give them the new random password and a link to the login page.  They can login and reset their password.

Processing reset password:  Form receives three fields - old password and two fields to choose and verify the new password.  Make a hash of the new password and update the client record.

To this structure you can add HTTPS, security questions, etc., but this has the basics.

HTH, ~Ray

Author Comment

ID: 24425303
Excellent advice,

1. So would this mean i could action a face book style request where the email link forwards to a password form and requests email and new password details?

2. With regards user hash and the password hash do you store both plain text and hash version of the password in the database? I currently only store a hashed version of the password.

The administration system is already hosted on a secure sever https.

Many thanks

LVL 111

Assisted Solution

by:Ray Paseur
Ray Paseur earned 2000 total points
ID: 24425393
1. You would not need to request the email on this form - you could, but it would be part of the record that is associated with the user hash so you could get it from the data base.  Since a hash is required to gain access to the page, it is very unlikely that anyone would access it at random.

2. Any passwords that are permanent should only be stored as a hash.  The temporary password can be stored in clear text so you can give it to the client on the "lost password" page.

You might also want to have a timer of some sort on the "lost password" functions.  If a lost password is not recovered in, say, an hour, the random password expires, too.  The client can always request a new one.

Good that you are using HTTPS.

Best regards, ~Ray
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 24425509
Ok great

1. Is it a requirement to set the temporary password, the facebook process does not. What are the pros and cons.

2.Would i set the expiry of temporary values in the database? What steps are involved?

Many thanks

LVL 111

Expert Comment

by:Ray Paseur
ID: 24426021
1. No, it's probably not a requirement.  You could go either way, so long as there is a way for you to be fairly sure that the person changing a password is the owner of the account.  That's what security questions are all about.  If you are dealing with nuclear codes your security precautions are going to be greater than if you're dealing with facebook stuff.  This is mainly a matter of how you choose to program your application and any of several choices would be OK.

2. An expiry for a data base record would be handled by putting a DATETIME column into the row.  Your SELECT statement would add this to a WHERE clause.  Expired records would not be found.  Separately, a garbage collection script could delete the expired rows - maybe run this as a cron job once a week or so.
$exp = date('c', strtotime('+1 day'));
$sql = "UPDATE my_table SET my_expiry = '$exp' WHERE key = $key LIMIT 1";
$now = date('c');
$sql = SELECT * FROM my_table WHERE my_expiry > '$now' ";

Open in new window

LVL 111

Expert Comment

by:Ray Paseur
ID: 24426518
Thanks for the points, and good luck with it, ~Ray

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
This article discusses four methods for overlaying images in a container on a web page
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question