Is this lost password system suitably secure?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
cs-web
Forum Commoner
Posts: 27
Joined: Fri Mar 11, 2005 11:57 am

Is this lost password system suitably secure?

Post by cs-web »

I'm making the lost password tool for my site at the momment and I'm finding it hard to get my head round. I decided on doing a method where a user types in his/her username and email in and then a new password is randomly generated and md5ed added to the new password filed of the user database.

Then the users id and md5ed previous password are got out the database and the user is emailed their new generated password and a link to activate it which consits of

mysite:activatepassword.php?userid=(the users id)&activatekey=(old pass word md5 hash)

then activatepassword.php updates rows where userid is the userid passed and the activate key is the current password hash. To have the current password as the newpassword field and then resets the newpassword field no nothing.

Is that system secure?/Any more efficient better suggestions?

Chris
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

I assume that you are verifying the user's email address from your database?

I would even mess about like that with all your MD5 creating random PW's and emailing them it.

I'd do this:
1. Store a secret question & answer in the DB in the first place.
2. Check the email they give you is the one they registered with.
3. Revoke the account by setting a field in your Database (something like 'revoked') with a value of 'yes'. Revoked accounts should not be able to login at all.
4. Send an email with a link to a page that allows them to change their PW. This page should ask them the secret question, if they provide the correct answer it should go to stage 5.
5. Present them with a box to enter a new password. MD5 this PW, set revoked='no'.
6. Take them back to the login page to login with their shiny new password.
cs-web
Forum Commoner
Posts: 27
Joined: Fri Mar 11, 2005 11:57 am

Post by cs-web »

yeah but then you get some people who just type in other peoples user names and email which can be very anoying for them as they have to go through all that to be able to login again.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

you can set it up such that the new password is stored in a seperate field of the table. If the user attached to it merely logs in while a "new password" is set with their normal password, then that field is wiped and the account switches back to normal. You can tell the user this in the email you send to the original email address when a new password is requested. Providing them a link that denies the change can also be useful.

Something else to do is do access auditing of the feature. If abusive behaviour is spotted, start talking to the ISP of the IP in question. Make sure to have details of specific timestamps and actions that IP took while on the site.
cs-web
Forum Commoner
Posts: 27
Joined: Fri Mar 11, 2005 11:57 am

Post by cs-web »

So is it a good idea to generally log all activity on the site?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

yes, although to what extent depends on your specific needs. Some sites don't need it, some do.
cs-web
Forum Commoner
Posts: 27
Joined: Fri Mar 11, 2005 11:57 am

Post by cs-web »

So you would say the system I proposed is secure? but I should add a deny change feature and also log activity on the password recovery system.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I don't see why the old password is sent in any form. The activation key should be a seperately generated random string that has nothing to do with the user's information.
cs-web
Forum Commoner
Posts: 27
Joined: Fri Mar 11, 2005 11:57 am

Post by cs-web »

Well I thought that the hash of the old password would be just as hard to find by some1 trying to log into some1 else account. And as its allready there it would make it much more efficient :D
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

considering people have a tendancy to use the same password on multipel sites.. it's not a good idea to transmit it.
cs-web
Forum Commoner
Posts: 27
Joined: Fri Mar 11, 2005 11:57 am

Post by cs-web »

smart thinking :)
Post Reply