Is this lost password system suitably secure?
Moderator: General Moderators
Is this lost password system suitably secure?
I'm making the lost password tool for my site at the momment and I'm finding it hard to get my head round. I decided on doing a method where a user types in his/her username and email in and then a new password is randomly generated and md5ed added to the new password filed of the user database.
Then the users id and md5ed previous password are got out the database and the user is emailed their new generated password and a link to activate it which consits of
mysite:activatepassword.php?userid=(the users id)&activatekey=(old pass word md5 hash)
then activatepassword.php updates rows where userid is the userid passed and the activate key is the current password hash. To have the current password as the newpassword field and then resets the newpassword field no nothing.
Is that system secure?/Any more efficient better suggestions?
Chris
Then the users id and md5ed previous password are got out the database and the user is emailed their new generated password and a link to activate it which consits of
mysite:activatepassword.php?userid=(the users id)&activatekey=(old pass word md5 hash)
then activatepassword.php updates rows where userid is the userid passed and the activate key is the current password hash. To have the current password as the newpassword field and then resets the newpassword field no nothing.
Is that system secure?/Any more efficient better suggestions?
Chris
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
I assume that you are verifying the user's email address from your database?
I would even mess about like that with all your MD5 creating random PW's and emailing them it.
I'd do this:
1. Store a secret question & answer in the DB in the first place.
2. Check the email they give you is the one they registered with.
3. Revoke the account by setting a field in your Database (something like 'revoked') with a value of 'yes'. Revoked accounts should not be able to login at all.
4. Send an email with a link to a page that allows them to change their PW. This page should ask them the secret question, if they provide the correct answer it should go to stage 5.
5. Present them with a box to enter a new password. MD5 this PW, set revoked='no'.
6. Take them back to the login page to login with their shiny new password.
I would even mess about like that with all your MD5 creating random PW's and emailing them it.
I'd do this:
1. Store a secret question & answer in the DB in the first place.
2. Check the email they give you is the one they registered with.
3. Revoke the account by setting a field in your Database (something like 'revoked') with a value of 'yes'. Revoked accounts should not be able to login at all.
4. Send an email with a link to a page that allows them to change their PW. This page should ask them the secret question, if they provide the correct answer it should go to stage 5.
5. Present them with a box to enter a new password. MD5 this PW, set revoked='no'.
6. Take them back to the login page to login with their shiny new password.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
you can set it up such that the new password is stored in a seperate field of the table. If the user attached to it merely logs in while a "new password" is set with their normal password, then that field is wiped and the account switches back to normal. You can tell the user this in the email you send to the original email address when a new password is requested. Providing them a link that denies the change can also be useful.
Something else to do is do access auditing of the feature. If abusive behaviour is spotted, start talking to the ISP of the IP in question. Make sure to have details of specific timestamps and actions that IP took while on the site.
Something else to do is do access auditing of the feature. If abusive behaviour is spotted, start talking to the ISP of the IP in question. Make sure to have details of specific timestamps and actions that IP took while on the site.