So I have a user system that stores the users password in a database with md5. I want to make a system so you can request a new password, and one will be sent to your email.
What is the best method of doing this? I know I can just send the person an email to the email they type in with the new password I generate, but then anyone could put in another users email and reset their password.
I could do the secret question thing, but I already have members who wouldn't have one filled out.
Yes, that might be an inconvenience to the user whose password it is but you don't need to change the password immediately. Consider the following scenario:
Annoying person requests a new password (for an email which isn't theirs!). Or the person sends a genuine reset request. Do NOT change the password at this point.
Email gets sent to email saying "someone requested a password reset, if this wasn't you ignore this message". Either the user ignores the message, or they're genuine and click the link to a page which does reset their password (possibly with a token to authenticate the reset request).
Password gets reset and they enter a new, more memorable one.
Also, having a security question can stop people from people from changing the passwords of others. Something simple, or even asking for the date of birth if you want to ask for that when they sign up.
I ended up setting it up like this. You enter your username and email. If those both match the entry of a user, an email is sent with a randomly generated password and confirmation URL that are entered into a temp database. Once they click the confirmation URL from their email, the info from the temp database is put into the main one and the temp stuff is deleted. They can then login with the random pass they got, and edit it in their profile.
What i normally do is have an additional column on the table say for example "password_reset_key".
You then set a randomised key (md5(time() . $salt) i normally use), and email that to the user, the user can then change his/her password if it is the official user. If it is not the owner of the account he/she can simply ignore the forgot password request and live on with the same user and password credentials.
Note: Its good to throttle the amount of requests from a single IP address on the page used to reset the password, as brute force can be done if the password_key's aren't that long....
1. you ask the user to enter his/her email address
2. The user gets a mail with a link that will take the user to confirm his email and desired action for password-reset.
3. When the user clicks on that link and lands on that page, he/she provides a new password.
...Or if you want to prevent people from using that form as a way to spam a user, you can either present the user with their secret question they specified upon registration, and make them enter the correct answer. Alternatively, you could set the time-out so that they can only make one password reset request per hour - though with this you want to be careful because if they do not receive their email then they may get tired of waiting for the time-out to expire, and then consequently forget about your site entirely.
The man who comes back through the Door in the Wall will never be quite the same as the man who went out.