Page 1 of 1

Retrieving passwords

Posted: Thu Sep 19, 2002 8:07 am
by f1nutter
Hi folks,

At the moment I am setting up a members area on my site for playing games with particular user settings. It is intended that the user registers their details, user name, password, email etc. I will then use sessions to track the users, and not .htaccess for a general members area.

My questions is: once the user has registered, how do they retrieve their password if they forget? I am using the code for this forum as an example, and notice that the passwords are encrypted using md5. I know this is a hash function and so one-way, so how is the password recovered and emailed to the forgetful user? I have searched the source code and MySQL files for the plaintext password (thankfully not found) so how does phpBB do it?

Thanks.

Posted: Thu Sep 19, 2002 8:12 am
by twigletmac
I don't know for phpBB specifically but it seems like most forums/sites which use md5 (or similar) encryption on passwords don't e-mail you your actual password if you forget it. They just tend to reset your password to a randomly generated one, e-mail that to you and you can then log in and change the password to whatever you like.

Mac

Posted: Thu Sep 19, 2002 8:53 am
by f1nutter
Your right, must have been thinking about something else :oops:

Now, do I use this reset example, or find a way of encrypting/decrypting the password? I have searched the forums for crypto examples and can handling this kind of thing.

There is a problem with resetting passwords. If I wanted to, I could easily reset a friends Hotmail account, just be guessing (knowing) their "secret" question, "Where do you live?".

Not really secure, is it!

Posted: Thu Sep 19, 2002 8:58 am
by ~J~R~R
You should do it this way: You make a new (randomly generated) password, wich is emailed to the e-mail of the user. You have to click a link in that e-mail to activate the new password. This way, you can't change your password, only if you already are logged in (in the CP somewhere). This is also the way phpBBs way.

Secret question

Posted: Thu Sep 19, 2002 8:58 am
by AVATAr
Permit the user to do the question, so they can put a smart answer.

If you gess it... well.. the user will receive a mail with the reseted password... its not "not secure"... its very secure because only the real user have access to that password. :wink:

Posted: Thu Sep 19, 2002 9:16 am
by nielsene
I love security topics, if y'all couldn't tell :)

The "anyone-may-reset-anyone's-password" approach is quite common, accepted and isn't commonly abused. However, it is not secure. Yes the new random password is sent to confirmed email address for the user. However the email is sent in the clear. If a person wanted to compromise an account all that is typically needed is
1) know the user's email address and/or username (neither of which are secrets)
2) be able to read network traffic (not paticularly hard)

Adding the custom question-answer method helps in making 1) harder, at least the attacker needs to research the target first. llimllib suggested in an earlier thread restricting the password reset to IP's that the user has logged in from before as an additional barrier. This works well for web-site users who use home/work computers primarily, fails for universities with large clusters,libraries, etc, other "public" computers.

I'm working on a system that involves both questions/answers and IP tracking for password reset OR encrypts email with a user provided public key. Ie if the user gives me a public key, I won't track their IP and they won't be bothered with questions --- giving me the security I want and them the security and privacy they want!