Retrieving passwords

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
f1nutter
Forum Contributor
Posts: 125
Joined: Wed Jun 05, 2002 12:08 pm
Location: London

Retrieving passwords

Post by f1nutter »

Hi folks,

At the moment I am setting up a members area on my site for playing games with particular user settings. It is intended that the user registers their details, user name, password, email etc. I will then use sessions to track the users, and not .htaccess for a general members area.

My questions is: once the user has registered, how do they retrieve their password if they forget? I am using the code for this forum as an example, and notice that the passwords are encrypted using md5. I know this is a hash function and so one-way, so how is the password recovered and emailed to the forgetful user? I have searched the source code and MySQL files for the plaintext password (thankfully not found) so how does phpBB do it?

Thanks.
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

I don't know for phpBB specifically but it seems like most forums/sites which use md5 (or similar) encryption on passwords don't e-mail you your actual password if you forget it. They just tend to reset your password to a randomly generated one, e-mail that to you and you can then log in and change the password to whatever you like.

Mac
f1nutter
Forum Contributor
Posts: 125
Joined: Wed Jun 05, 2002 12:08 pm
Location: London

Post by f1nutter »

Your right, must have been thinking about something else :oops:

Now, do I use this reset example, or find a way of encrypting/decrypting the password? I have searched the forums for crypto examples and can handling this kind of thing.

There is a problem with resetting passwords. If I wanted to, I could easily reset a friends Hotmail account, just be guessing (knowing) their "secret" question, "Where do you live?".

Not really secure, is it!
User avatar
~J~R~R
Forum Newbie
Posts: 20
Joined: Wed Sep 18, 2002 12:19 pm
Location: Amsterdam, the Netherlanda

Post by ~J~R~R »

You should do it this way: You make a new (randomly generated) password, wich is emailed to the e-mail of the user. You have to click a link in that e-mail to activate the new password. This way, you can't change your password, only if you already are logged in (in the CP somewhere). This is also the way phpBBs way.
User avatar
AVATAr
Forum Regular
Posts: 524
Joined: Tue Jul 16, 2002 4:19 pm
Location: Uruguay -- Montevideo
Contact:

Secret question

Post by AVATAr »

Permit the user to do the question, so they can put a smart answer.

If you gess it... well.. the user will receive a mail with the reseted password... its not "not secure"... its very secure because only the real user have access to that password. :wink:
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

I love security topics, if y'all couldn't tell :)

The "anyone-may-reset-anyone's-password" approach is quite common, accepted and isn't commonly abused. However, it is not secure. Yes the new random password is sent to confirmed email address for the user. However the email is sent in the clear. If a person wanted to compromise an account all that is typically needed is
1) know the user's email address and/or username (neither of which are secrets)
2) be able to read network traffic (not paticularly hard)

Adding the custom question-answer method helps in making 1) harder, at least the attacker needs to research the target first. llimllib suggested in an earlier thread restricting the password reset to IP's that the user has logged in from before as an additional barrier. This works well for web-site users who use home/work computers primarily, fails for universities with large clusters,libraries, etc, other "public" computers.

I'm working on a system that involves both questions/answers and IP tracking for password reset OR encrypts email with a user provided public key. Ie if the user gives me a public key, I won't track their IP and they won't be bothered with questions --- giving me the security I want and them the security and privacy they want!
Post Reply