Forgot Password

Gurnk · 10-27-2007, 08:45 PM

So I have a user system that stores the users password in a database with md5. I want to make a system so you can request a new password, and one will be sent to your email.

What is the best method of doing this? I know I can just send the person an email to the email they type in with the new password I generate, but then anyone could put in another users email and reset their password.

I could do the secret question thing, but I already have members who wouldn't have one filled out.

Any ideas? Thanks.

Salathe · 10-27-2007, 09:04 PM

Store the user's email when they register. Then send the new password to that email address.

Gurnk · 10-27-2007, 09:11 PM

Yeah I know that. But if I send them a new password, I will have had to update it in the database so they can login with it in order to change it back to something they like.

The problem is though, anyone could enter another users email and then that users password would be changed without them wanting it to be.

Salathe · 10-27-2007, 09:32 PM

Yes, that might be an inconvenience to the user whose password it is but you don't need to change the password immediately. Consider the following scenario:

Annoying person requests a new password (for an email which isn't theirs!). Or the person sends a genuine reset request. Do NOT change the password at this point.
Email gets sent to email saying "someone requested a password reset, if this wasn't you ignore this message". Either the user ignores the message, or they're genuine and click the link to a page which does reset their password (possibly with a token to authenticate the reset request).
Password gets reset and they enter a new, more memorable one.

Andrew · 10-28-2007, 02:29 AM

Also, having a security question can stop people from people from changing the passwords of others. Something simple, or even asking for the date of birth if you want to ask for that when they sign up.

Gurnk · 10-28-2007, 02:52 AM

I ended up setting it up like this. You enter your username and email. If those both match the entry of a user, an email is sent with a randomly generated password and confirmation URL that are entered into a temp database. Once they click the confirmation URL from their email, the info from the temp database is put into the main one and the temp stuff is deleted. They can then login with the random pass they got, and edit it in their profile.

bluesaga · 10-29-2007, 10:25 AM

What i normally do is have an additional column on the table say for example "password_reset_key".

You then set a randomised key (md5(time() . $salt) i normally use), and email that to the user, the user can then change his/her password if it is the official user. If it is not the owner of the account he/she can simply ignore the forgot password request and live on with the same user and password credentials.

Note: Its good to throttle the amount of requests from a single IP address on the page used to reset the password, as brute force can be done if the password_key's aren't that long....

sunilbhatia79 · 11-16-2007, 04:24 AM

The best approach is that

1. you ask the user to enter his/her email address
2. The user gets a mail with a link that will take the user to confirm his email and desired action for password-reset.
3. When the user clicks on that link and lands on that page, he/she provides a new password.

Hope this is useful

Wildhoney · 11-20-2007, 04:06 PM

...Or if you want to prevent people from using that form as a way to spam a user, you can either present the user with their secret question they specified upon registration, and make them enter the correct answer. Alternatively, you could set the time-out so that they can only make one password reset request per hour - though with this you want to be careful because if they do not receive their email then they may get tired of waiting for the time-out to expire, and then consequently forget about your site entirely.