Page 1 of 1

FORGOT PASSWORD Dilema

Posted: Fri Aug 16, 2002 5:43 pm
by JPlush76
I'm making a "forgot password" page on my log in form. The forgot form asks for an email address and then will email the username/password to that address

but as I'm coding I realized... in the profiles I display their email addy so anyone could just type in someone else's email address in.

Although the real user is the only one who gets the email, is that the smartest way about going about things?

Posted: Fri Aug 16, 2002 6:42 pm
by gotDNS
om my website: Poetry.mine.nu, the way I go about passwords is more complex than yours, but simpler in the same way...here:

I think, in your case, it is bad judgement NOT to hash the passwords...not only would people not trust you if they found out, but its just not good backend security in general. I suggest that you 'md5' (a form of hashing) your passwords. So when they sign-up, it does:

Code: Select all

md5(їi]$passwordї/i])
Then, when they go to login, it hashes what they enter and compares that to what is in the database.....(say that the name of the username input box on the login form is "username" and the password box name is "password"):

Code: Select all

$result = mysql_query("select * from їi]DBnameї/i] where їi]usercolї/i]='$username'");

$row = mysql_fetch_assoc($result);

if($rowї"їi]passwordї/i]"]==md5($password))
{
$loggedin = $username;
session_register("loggedin")
}
Then, in the rest of the site, you can check if they're logged in by:

Code: Select all

if(session_is_registered("loggedin")) {}
So ANYWAY, about your 'forgot password' page. What you have them do is send you an e-mail FROM the e-mail address that they signed up with (so you know that they truely are who they say they are), then just hash up another temporary password and stick it in the DB under their name.... You can have a little admin page where u can enter something, and it'll return the hash, then just c/p and insert it into the DB under their name. So then u just put in like 'bob', put thaty in the DB for them, and e-mail them back telling them that their password has been changed to 'bob'. They can then proceed to change it at an 'Account' page...supposing you have one. If you don't have an account page...i suggest you make on...if not, just have them e-mail you what they WANT to be their password...then u hash it up and stick it in the DB. (If you thing that "ooo, but then i'd know their password"....well, you could have looked anytime u want with ur origional/non-hash scheme.)


I really hope that all made sense, and it's a very secure and eficiant way of doing things...feel free to c/p the code.....

later on, -Brian

Posted: Fri Aug 16, 2002 6:56 pm
by JPlush76
thanks for the great reply Brian

so the user enters a password on the signup page and on the process form you do the md5 function on it, going into the insert statement?

Posted: Fri Aug 16, 2002 7:16 pm
by hob_goblin
yup.

Posted: Fri Aug 16, 2002 8:06 pm
by gotDNS
Glad I could help.....good luck!

later on, -Brian