Is this below is a risky idea about users privacy ?

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
jankidudel
Forum Commoner
Posts: 91
Joined: Sat Oct 16, 2010 4:30 pm
Location: Lithuania, Vilnius

Is this below is a risky idea about users privacy ?

Post by jankidudel »

Hi I'm making some website, where user leaves his login/password in our database, . I am thinking about how to implement actions if he forgot his pass...


1. Get it manually from database, use some program , which decodes pass(md5 decoder) and send it via email to the user :D ( easy way)

2. When he registers, send his data to the admin, with usernames, passwords in a normal way(plain characters, not encrypted).

Well , I'm thinking not do it in that way: if he forgets pass, create new temporary, send it via email, and then user can change it.

I'm waiting for your replies :)
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: Is this below is a risky idea about users privacy ?

Post by Jonah Bron »

The create-temporary-and-send-to-user option is the only viable solution (note that's what everyone does). There's no practical way to decrypt a hash (at least none that should be part of a password recovery system). You should never store non-encrypted passwords in any form.
jankidudel
Forum Commoner
Posts: 91
Joined: Sat Oct 16, 2010 4:30 pm
Location: Lithuania, Vilnius

Re: Is this below is a risky idea about users privacy ?

Post by jankidudel »

@Jonah bron ... look here :D

http://www.md5decrypter.com/
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: Is this below is a risky idea about users privacy ?

Post by Jonah Bron »

That website does not decrypt hashes. As I stated before, it's impossible (without a brute force attack or a rainbow table). That site uses a rainbow table to lookup the string that creates that hash.

To prove it, read what it says on that page, and try to decrypt "50a723a285df46628e96d22268d4a191" (the value of which is "helloworldhowareyouthereisnowaytheywillfigureoutwhatthevalueofthishashis").
jankidudel
Forum Commoner
Posts: 91
Joined: Sat Oct 16, 2010 4:30 pm
Location: Lithuania, Vilnius

Re: Is this below is a risky idea about users privacy ?

Post by jankidudel »

Oh, I see, thanks for your advices.
kalpesh.mahida
Forum Commoner
Posts: 36
Joined: Wed Oct 06, 2010 7:09 am

Re: Is this below is a risky idea about users privacy ?

Post by kalpesh.mahida »

Hi jankidudel,

You can do it in other way as well.
Steps could be as bellow:

1) user request for change password by providing his email id in case he forgot.
2) Your script can generate a token and send the token with password reset link.
3) User go to reset link, provide the token (it could be manual or automated).
4) Script will check for the validity of token.
5) for valid token system allows user to change password.

Here we are sending the token to reset password to email registered with application. so if the actual email holder dont want to change his/her password he/she can simply ignore the message. where in the case you have mentioned if i know your email id registered with application i can make a request and your password will get changed, i'll not get your password but your password will get changed even though you dont want to change it.

HTH
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Is this below is a risky idea about users privacy ?

Post by pickle »

Moving to Theory and Design
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
jankidudel
Forum Commoner
Posts: 91
Joined: Sat Oct 16, 2010 4:30 pm
Location: Lithuania, Vilnius

Re: Is this below is a risky idea about users privacy ?

Post by jankidudel »

Why not :)
Post Reply