Forgot password module

[eluser]TheFuzzy0ne[/eluser]
Hi everyone. I'm looking for ideas as to how to create a "forgot password" module for my Web site, or rather, how it should work.

I'm concerned that if I use any encryption, my site key may be crackable with a brute force attack.

I was thinking of doing something like this:

User clicks on "forgot password". The Web site sends them an email with a link that contains their username, and the md5 hash of their password. This link will be used to validate the user. If the MD5 hash matches the one in the database for that user, the password can be changed (rendering that link useless unless the same password is used again). I can see problems with this approach, namely that this method could be open to brute force attacks. Perhaps I need to bring a database table into it, so the password can only be changed using this method if the user has requested it, but I doubt it will make it any more secure, as anyone could request it for someone else's account, and then hack away.

I was also thinking of just sending them a temporary password instead, but I'm not sure how to implement this. Obviously, if the password can be reset just by entering an email address, some idiot could drive my users crazy if they know their Email addresses.

Basically, all of my ideas so far seem flawed, and so far I haven't found a method that isn't flawed in some way.

All input appreciated.

Thanks.

[eluser]Milos Dakic[/eluser]
You don't want to make it too difficult for the user themselves either. If you put too much protection around it, it might drive someone crazy to reset their password.

I'd just use the standard; request password change, send email (link back to website), check request, if valid let them change the password.

Could be made more secure but I guess its all up to you and how you want to implement it. Nothing will be 100% but close enough would probably be good enough.

[eluser]jedd[/eluser]
[quote author="TheFuzzy0ne" date="1235977464"]
I'm concerned that if I use any encryption, my site key may be crackable with a brute force attack.
[/quote]

I think this subject was hit, tangentially, in another thread we were both monitoring a few days ago.

Coincidentally it's been at the back of my mind too, as I've been pondering whether to pull in a user-handling library or develop my own.

I think brute force attacks can be prevented with one or both of these approaches:
o fixed delay on login validation ( the sleep(1s) approach)
o the ssh-denyhosts approach, whereby after X failed attempts you drop a route to that IP address (or in this case just stop offering a login prompt to that IP address)

User clicks on "forgot password". The Web site sends them an email with a link that contains their username, and the md5 hash of their password.

Do you trust mail? Rather, is the concern with intercepted data (because mail is rarely encrypted)?

It seems dangerous to be sending md5's out .. but can't describe why.

Maybe an md5 of the password's md5? Anyway, not a huge part of the problem.

I concur about the effective DoS you're hitting one of your prospective users with, as their mailbox is flooded with 'your password has been reset' emails.

Two approaches spring to mind:
o as above, put a limiter on this - more than 2 in an hour, stop responding to that IP address
o have a human-intervention component - either a captcha, or if you want to be more sophisticated one of those 'what's your favourite city?' style pass phrases (though in my experience they rarely work very well)

In your favour, the net is not flooded with idiots generating lots of these kinds of password change requests, which is encouraging.

[eluser]JayTee[/eluser]
I handle this in the following steps:
1. User enters their email address and a random piece of data from their profile
2. Get an md5 of the current time stamp
3. Take the last XX characters use it as a 'key'
4. take the first XX characters and use it as the user's new password - update the db with the new pass and the key
5. Email the user a URL containing the key
6. The user enters their email address and a new password when they arrive at the URL
7. confirm the email and key combination in the db then update the password

In a nutshell, once they hit "forgot", they aren't getting back in until they visit the URL received in their email. I use that initial prompt in step 1 for a weak identity check.

[eluser]Milos Dakic[/eluser]
[quote author="JayTee" date="1235990928"]I handle this in the following steps:
1. User enters their email address and a random piece of data from their profile
2. Get an md5 of the current time stamp
3. Take the last XX characters use it as a 'key'
4. take the first XX characters and use it as the user's new password - update the db with the new pass and the key
5. Email the user a URL containing the key
6. The user enters their email address and a new password when they arrive at the URL
7. confirm the email and key combination in the db then update the password

In a nutshell, once they hit "forgot", they aren't getting back in until they visit the URL received in their email. I use that initial prompt in step 1 for a weak identity check.[/quote]

Really cool way of doing it. Might have to switch to this.

[eluser]TheFuzzy0ne[/eluser]
Thanks for the replies everybody. I think I'm going to go with JayTees idea, but I will use a CAPTCHA instead of a security question. I don't know why using a CAPTCHA never occurred to me, especially since I've recently developed a CAPTCHA library...

Thanks again for your replies.

[eluser]TheFuzzy0ne[/eluser]
Hi, guys!

I have been thinking further about this problem, and I was thinking about doing this:

1) The user clicks "forgot password" link.

2) The user is directed to a page where they need to enter the Email address, and pass CAPTCHA validation.

3) A key is generated and sent to the user. The key basically consists of the users Email address, and their current hashed password:

Code:

$email = '[email protected]';
$pass_hash = 'e10adc3949ba59abbe56e057f20f883e';
$key = $this->encrypt->encode($email . ':' . $pass_hash);

4) An email is sent to the user containing a link, and a key for them to copy and paste.

5) The link when clicked upon, will bring up a page where the user will paste the key given to them.

6) Copying in the key and submitting it will decode the key, and then check to see if the password hash matches the email address. If it does, allow the user to change their password.

This has the benefit of not needing any other tables other than the user table. The user's MD5 hashed password is safe, as it's encrypted.

What do you think?

I'd like to find a way to pass this key through the URL, but I'm not sure how problematic it will be. The problem is that my server doesn't like encoded slashes. Then again, if the method only takes one argument, the forward slashes are irrelevant, as I can just extract the key from the uri_string, rather than using segments.