Solved

Secure PHP Forgotten Password Framework

Posted on 2009-05-19
6
356 Views
Last Modified: 2013-12-12
Hi Guys

I have always wanted to get some advice on the best way to manage forgotten passwords, it would be great to hear your thoughts.

I want a user to input their domain name and receive the option to update their password in the most secure way possible.

I like the way facebook emails you a link to an update password page but i need to know what is going on behind the sceens as their URL contains a few additional values and im sure there are some additional security feature in there!!

Any suggestions on a workflow/ framework would be great!

Many thanks in advance

--s--
0
Comment
Question by:socross
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 24424322
Client registration models probably have code samples and I do not have anything that is very secure.  For most of my apps, if someone forgets the password, I just look up their email address and send them the password!

Here is a general outline of a better-practices way to deal with this issue.

Client registration collects an email address, user name (UNIQUE) and a password.  You make a hash of the user name plus some random string and that becomes the user hash.  You make a hash of the password and that becomes the password hash.  You can use MD5 to make the hash, and there are other algorithms for hashing, too.

Processing login: Collect username or email address and password.  Hash the password.  Lookup the username or email address and the password hash in the data base.  Put a cookie on the browser with the user hash if you want to remember the user's login status.

Processing lost password:  Generate a new random password, store it in clear text and hash it into the password hash field.  Send client an email with the user hash in the GET string of the URL of the lost-password page.  When the client visits that page, give them the new random password and a link to the login page.  They can login and reset their password.

Processing reset password:  Form receives three fields - old password and two fields to choose and verify the new password.  Make a hash of the new password and update the client record.

To this structure you can add HTTPS, security questions, etc., but this has the basics.

HTH, ~Ray
0
 
LVL 1

Author Comment

by:socross
ID: 24425303
Excellent advice,

1. So would this mean i could action a face book style request where the email link forwards to a password form and requests email and new password details?

2. With regards user hash and the password hash do you store both plain text and hash version of the password in the database? I currently only store a hashed version of the password.

The administration system is already hosted on a secure sever https.

Many thanks

--s--
0
 
LVL 110

Assisted Solution

by:Ray Paseur
Ray Paseur earned 500 total points
ID: 24425393
1. You would not need to request the email on this form - you could, but it would be part of the record that is associated with the user hash so you could get it from the data base.  Since a hash is required to gain access to the page, it is very unlikely that anyone would access it at random.

2. Any passwords that are permanent should only be stored as a hash.  The temporary password can be stored in clear text so you can give it to the client on the "lost password" page.

You might also want to have a timer of some sort on the "lost password" functions.  If a lost password is not recovered in, say, an hour, the random password expires, too.  The client can always request a new one.

Good that you are using HTTPS.

Best regards, ~Ray
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:socross
ID: 24425509
Ok great

1. Is it a requirement to set the temporary password, the facebook process does not. What are the pros and cons.

2.Would i set the expiry of temporary values in the database? What steps are involved?

Many thanks

--s--
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 24426021
1. No, it's probably not a requirement.  You could go either way, so long as there is a way for you to be fairly sure that the person changing a password is the owner of the account.  That's what security questions are all about.  If you are dealing with nuclear codes your security precautions are going to be greater than if you're dealing with facebook stuff.  This is mainly a matter of how you choose to program your application and any of several choices would be OK.

2. An expiry for a data base record would be handled by putting a DATETIME column into the row.  Your SELECT statement would add this to a WHERE clause.  Expired records would not be found.  Separately, a garbage collection script could delete the expired rows - maybe run this as a cron job once a week or so.
// ADDING AN EXPIRATION DATE/TIME TO A ROW WITH key=$key
$exp = date('c', strtotime('+1 day'));
$sql = "UPDATE my_table SET my_expiry = '$exp' WHERE key = $key LIMIT 1";
 
// SELECTING UNEXIPRED RECORDS
$now = date('c');
$sql = SELECT * FROM my_table WHERE my_expiry > '$now' ";

Open in new window

0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 24426518
Thanks for the points, and good luck with it, ~Ray
0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this. Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it i…
These days socially coordinated efforts have turned into a critical requirement for enterprises.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question