Secure PHP Forgotten Password Framework

Posted on 2009-05-19
Last Modified: 2013-12-12
Hi Guys

I have always wanted to get some advice on the best way to manage forgotten passwords, it would be great to hear your thoughts.

I want a user to input their domain name and receive the option to update their password in the most secure way possible.

I like the way facebook emails you a link to an update password page but i need to know what is going on behind the sceens as their URL contains a few additional values and im sure there are some additional security feature in there!!

Any suggestions on a workflow/ framework would be great!

Many thanks in advance

Question by:socross
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
LVL 110

Accepted Solution

Ray Paseur earned 500 total points
ID: 24424322
Client registration models probably have code samples and I do not have anything that is very secure.  For most of my apps, if someone forgets the password, I just look up their email address and send them the password!

Here is a general outline of a better-practices way to deal with this issue.

Client registration collects an email address, user name (UNIQUE) and a password.  You make a hash of the user name plus some random string and that becomes the user hash.  You make a hash of the password and that becomes the password hash.  You can use MD5 to make the hash, and there are other algorithms for hashing, too.

Processing login: Collect username or email address and password.  Hash the password.  Lookup the username or email address and the password hash in the data base.  Put a cookie on the browser with the user hash if you want to remember the user's login status.

Processing lost password:  Generate a new random password, store it in clear text and hash it into the password hash field.  Send client an email with the user hash in the GET string of the URL of the lost-password page.  When the client visits that page, give them the new random password and a link to the login page.  They can login and reset their password.

Processing reset password:  Form receives three fields - old password and two fields to choose and verify the new password.  Make a hash of the new password and update the client record.

To this structure you can add HTTPS, security questions, etc., but this has the basics.

HTH, ~Ray

Author Comment

ID: 24425303
Excellent advice,

1. So would this mean i could action a face book style request where the email link forwards to a password form and requests email and new password details?

2. With regards user hash and the password hash do you store both plain text and hash version of the password in the database? I currently only store a hashed version of the password.

The administration system is already hosted on a secure sever https.

Many thanks

LVL 110

Assisted Solution

by:Ray Paseur
Ray Paseur earned 500 total points
ID: 24425393
1. You would not need to request the email on this form - you could, but it would be part of the record that is associated with the user hash so you could get it from the data base.  Since a hash is required to gain access to the page, it is very unlikely that anyone would access it at random.

2. Any passwords that are permanent should only be stored as a hash.  The temporary password can be stored in clear text so you can give it to the client on the "lost password" page.

You might also want to have a timer of some sort on the "lost password" functions.  If a lost password is not recovered in, say, an hour, the random password expires, too.  The client can always request a new one.

Good that you are using HTTPS.

Best regards, ~Ray
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.


Author Comment

ID: 24425509
Ok great

1. Is it a requirement to set the temporary password, the facebook process does not. What are the pros and cons.

2.Would i set the expiry of temporary values in the database? What steps are involved?

Many thanks

LVL 110

Expert Comment

by:Ray Paseur
ID: 24426021
1. No, it's probably not a requirement.  You could go either way, so long as there is a way for you to be fairly sure that the person changing a password is the owner of the account.  That's what security questions are all about.  If you are dealing with nuclear codes your security precautions are going to be greater than if you're dealing with facebook stuff.  This is mainly a matter of how you choose to program your application and any of several choices would be OK.

2. An expiry for a data base record would be handled by putting a DATETIME column into the row.  Your SELECT statement would add this to a WHERE clause.  Expired records would not be found.  Separately, a garbage collection script could delete the expired rows - maybe run this as a cron job once a week or so.
$exp = date('c', strtotime('+1 day'));
$sql = "UPDATE my_table SET my_expiry = '$exp' WHERE key = $key LIMIT 1";
$now = date('c');
$sql = SELECT * FROM my_table WHERE my_expiry > '$now' ";

Open in new window

LVL 110

Expert Comment

by:Ray Paseur
ID: 24426518
Thanks for the points, and good luck with it, ~Ray

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question