Page 1 of 1
Is this lost password system suitably secure?
Posted: Sun Mar 13, 2005 7:00 am
by cs-web
I'm making the lost password tool for my site at the momment and I'm finding it hard to get my head round. I decided on doing a method where a user types in his/her username and email in and then a new password is randomly generated and md5ed added to the new password filed of the user database.
Then the users id and md5ed previous password are got out the database and the user is emailed their new generated password and a link to activate it which consits of
mysite:activatepassword.php?userid=(the users id)&activatekey=(old pass word md5 hash)
then activatepassword.php updates rows where userid is the userid passed and the activate key is the current password hash. To have the current password as the newpassword field and then resets the newpassword field no nothing.
Is that system secure?/Any more efficient better suggestions?
Chris
Posted: Sun Mar 13, 2005 7:41 am
by Chris Corbyn
I assume that you are verifying the user's email address from your database?
I would even mess about like that with all your MD5 creating random PW's and emailing them it.
I'd do this:
1. Store a secret question & answer in the DB in the first place.
2. Check the email they give you is the one they registered with.
3. Revoke the account by setting a field in your Database (something like 'revoked') with a value of 'yes'. Revoked accounts should not be able to login at all.
4. Send an email with a link to a page that allows them to change their PW. This page should ask them the secret question, if they provide the correct answer it should go to stage 5.
5. Present them with a box to enter a new password. MD5 this PW, set revoked='no'.
6. Take them back to the login page to login with their shiny new password.
Posted: Sun Mar 13, 2005 7:45 am
by cs-web
yeah but then you get some people who just type in other peoples user names and email which can be very anoying for them as they have to go through all that to be able to login again.
Posted: Sun Mar 13, 2005 10:12 am
by feyd
you can set it up such that the new password is stored in a seperate field of the table. If the user attached to it merely logs in while a "new password" is set with their normal password, then that field is wiped and the account switches back to normal. You can tell the user this in the email you send to the original email address when a new password is requested. Providing them a link that denies the change can also be useful.
Something else to do is do access auditing of the feature. If abusive behaviour is spotted, start talking to the ISP of the IP in question. Make sure to have details of specific timestamps and actions that IP took while on the site.
Posted: Sun Mar 13, 2005 10:41 am
by cs-web
So is it a good idea to generally log all activity on the site?
Posted: Sun Mar 13, 2005 10:44 am
by feyd
yes, although to what extent depends on your specific needs. Some sites don't need it, some do.
Posted: Sun Mar 13, 2005 10:49 am
by cs-web
So you would say the system I proposed is secure? but I should add a deny change feature and also log activity on the password recovery system.
Posted: Sun Mar 13, 2005 11:04 am
by feyd
I don't see why the old password is sent in any form. The activation key should be a seperately generated random string that has nothing to do with the user's information.
Posted: Sun Mar 13, 2005 11:06 am
by cs-web
Well I thought that the hash of the old password would be just as hard to find by some1 trying to log into some1 else account. And as its allready there it would make it much more efficient

Posted: Sun Mar 13, 2005 11:17 am
by feyd
considering people have a tendancy to use the same password on multipel sites.. it's not a good idea to transmit it.
Posted: Sun Mar 13, 2005 11:25 am
by cs-web
smart thinking
