Secure PHP Forgotten Password Framework

Hi Guys

I have always wanted to get some advice on the best way to manage forgotten passwords, it would be great to hear your thoughts.

I want a user to input their domain name and receive the option to update their password in the most secure way possible.

I like the way facebook emails you a link to an update password page but i need to know what is going on behind the sceens as their URL contains a few additional values and im sure there are some additional security feature in there!!

Any suggestions on a workflow/ framework would be great!

Many thanks in advance

Who is Participating?
Ray PaseurConnect With a Mentor Commented:
Client registration models probably have code samples and I do not have anything that is very secure.  For most of my apps, if someone forgets the password, I just look up their email address and send them the password!

Here is a general outline of a better-practices way to deal with this issue.

Client registration collects an email address, user name (UNIQUE) and a password.  You make a hash of the user name plus some random string and that becomes the user hash.  You make a hash of the password and that becomes the password hash.  You can use MD5 to make the hash, and there are other algorithms for hashing, too.

Processing login: Collect username or email address and password.  Hash the password.  Lookup the username or email address and the password hash in the data base.  Put a cookie on the browser with the user hash if you want to remember the user's login status.

Processing lost password:  Generate a new random password, store it in clear text and hash it into the password hash field.  Send client an email with the user hash in the GET string of the URL of the lost-password page.  When the client visits that page, give them the new random password and a link to the login page.  They can login and reset their password.

Processing reset password:  Form receives three fields - old password and two fields to choose and verify the new password.  Make a hash of the new password and update the client record.

To this structure you can add HTTPS, security questions, etc., but this has the basics.

HTH, ~Ray
socrossAuthor Commented:
Excellent advice,

1. So would this mean i could action a face book style request where the email link forwards to a password form and requests email and new password details?

2. With regards user hash and the password hash do you store both plain text and hash version of the password in the database? I currently only store a hashed version of the password.

The administration system is already hosted on a secure sever https.

Many thanks

Ray PaseurConnect With a Mentor Commented:
1. You would not need to request the email on this form - you could, but it would be part of the record that is associated with the user hash so you could get it from the data base.  Since a hash is required to gain access to the page, it is very unlikely that anyone would access it at random.

2. Any passwords that are permanent should only be stored as a hash.  The temporary password can be stored in clear text so you can give it to the client on the "lost password" page.

You might also want to have a timer of some sort on the "lost password" functions.  If a lost password is not recovered in, say, an hour, the random password expires, too.  The client can always request a new one.

Good that you are using HTTPS.

Best regards, ~Ray
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

socrossAuthor Commented:
Ok great

1. Is it a requirement to set the temporary password, the facebook process does not. What are the pros and cons.

2.Would i set the expiry of temporary values in the database? What steps are involved?

Many thanks

Ray PaseurCommented:
1. No, it's probably not a requirement.  You could go either way, so long as there is a way for you to be fairly sure that the person changing a password is the owner of the account.  That's what security questions are all about.  If you are dealing with nuclear codes your security precautions are going to be greater than if you're dealing with facebook stuff.  This is mainly a matter of how you choose to program your application and any of several choices would be OK.

2. An expiry for a data base record would be handled by putting a DATETIME column into the row.  Your SELECT statement would add this to a WHERE clause.  Expired records would not be found.  Separately, a garbage collection script could delete the expired rows - maybe run this as a cron job once a week or so.
$exp = date('c', strtotime('+1 day'));
$sql = "UPDATE my_table SET my_expiry = '$exp' WHERE key = $key LIMIT 1";
$now = date('c');
$sql = SELECT * FROM my_table WHERE my_expiry > '$now' ";

Open in new window

Ray PaseurCommented:
Thanks for the points, and good luck with it, ~Ray
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.