How can I do a password recovery system?

[eluser]Kurai[/eluser]
Hi!
My small application has an auth library which sets the password you choose as MD5 in the DB and then checks MD5 Hash of the password on login.
Now, I would like to have a password recovery system, but since MD5 is non-reversable, I'm a bit stuck.
Can you give me some ideas on how to proceed with that?
Thank you!

[eluser]bohara[/eluser]
Kurai,
I think the easiest way would be to verify who they are through other vital signup information i.e email, username, pets name, ip address. Once verified just allow them to choose a new password or auto generate one for them.

[eluser]Derek Allard[/eluser]
I built something like this into BambooInvoice if you want to go download it and dissect. login controller.

[eluser]Matthew Lanham[/eluser]
I would normally get their email on signup, then if they forget, ask them to enter their email and then either:

send them a new password via email (could be insecure)

or

i prefer to send them a link that they can then use to reset the password

[eluser]erik.brannstrom[/eluser]
I'll give you a break down of how I've done it. It at least seems secure and efficient enough for my needs. This isn't technically a password recover, but a account recover, since we all now a hashed password cannot be decoded.

I have an account controller in which, firstly, I have one method used for recover requests. It basically loads a view where the user inputs his/hers username. If it checks out and there is a registered e-mail for that user I store a randomly generated hash along with the username in a database table. An e-mail is sent with a link to another method with two arguments, the username and the hash.

When the user clicks the link, another method in the controller checks the two arguments against the DB and also sees that the recover request isn't older than two days. If all this seems okay, a view is loaded containing a form where the user can choose a new password.

Hope this helps!

[eluser]llbbl[/eluser]
You have two glaring/possible security holes, So let me start by first saying.

Emailing passwords to users is ALWAYS a BAD IDEA!

It isn't secure if your using MD5 in your database for the passwords. SHA1 is better or both if you really want to be sure ... lol

Here is how you do it.


Password Recovery System

- A form with email field so users can reset their password
- A temporary user table w/ "randomdata" field
- when user submits form a string of random is generated, user data is copied over from the main user table to the temp one
- an email is sent to the user with a link in following (general) format. http://yourdomain/changepassword/username/randomdata/
- once they click on the link they are displayed with another form letting them change their password. Remember to do two passwords boxes and make sure they typed the same thing in twice. Also do the obvious thing of checking to make sure random data in the URL matches the randomdata in the temp user table.


Its possible to do it with one user table instead of two if you put the randomdata in the user table and delete the "randomdata" after they reset their password. I delete the entire row from the temporary table.

[eluser]Xeoncross[/eluser]
I recomend you look at the super simple Redux Auth lib as it shows the whole process very well.

[eluser]Pascal Kriete[/eluser]
[quote author="llbbl" date="1218069378"]It isn't secure if your using MD5 in your database for the passwords. SHA1 is better or both if you really want to be sure ... lol[/quote]

:arcasm falls off the roof and dies::

$hashed = md5(sha1($password)); // no no no

Mathew outlined secure passwords here. I second the ReduxAuth recommendation.

[eluser]Kurai[/eluser]
Thank you, everyone. Now I know what to do