Welcome Guest, Not a member yet? Register   Sign In
Users and Profiles DB and Forgotten password
#1

[eluser]Dregond Rahl[/eluser]
Iv noticed in several authentication libraries, the profile table is separated from the users table. Why is that ?



Im also working on a forgotten password system, when someone has lost their password they type in their username or email address, and it check the database if it exists it will send an email with something like:
Code:
domain.com/forgottenpassword/(Sha1 hash)

the sha1 hash consists of a random key and in the 'users' table is updated with that key in a "reset_password" field. when the user visits the link he/she is asked to type in the new password and confirmation password.and the person is auto logged in, and the "reset_password" field is reset to blank.

Is this a safe method ?
#2

[eluser]Dan Horrigan[/eluser]
I use seperation becasue of seperation of data types. The users table contains authentication information, and the profiles table contains user information. Why mix the two?

The forgotten password system you proposed is flawed in a few ways:
1. People hate resetting their passwords.
2. Using Sha1 hashes opens the system up for attack.

The better solution would be to keep the passowrd encrpyted in the database (CI has a very nice Encryption class). When the user forgets the password they can enter their email address and be emailed the password. If you are uncomfortable with emailing the password, you could email them a password retrival code. That code could be a random number that was hashed, then encrypted with a random salt, then just take the first 10 characters or something and make that the code.

Sorry if it is not very detailed, it is too early for that Smile
#3

[eluser]Dregond Rahl[/eluser]
Well the password is already encrypted using SHA1 and a salt. A separate field with the time as the salt and and alphanumeric string is hashed with SHA1 and added. When the person requests for the password and email is sent with that Hash in the URL and when the person click on that link it matches the hash and the person rests their password easily. I don't know how sha1 opens up the system for attacks =/
#4

[eluser]Dan Horrigan[/eluser]
Its open for attack because it is very easy to brute force that type of system. The program could be written in under an hour (with CI i might add Smile).
#5

[eluser]Dregond Rahl[/eluser]
what type of random string would you recommend? just random ? or using the same way except using only 20 out of the 40 characters in the string ?


Also attempts are logged for changing password, sending forgotten password and logging in, so after 5 attempts the person has to wait 5 mins.
#6

[eluser]Dan Horrigan[/eluser]
You could use the same thing then pick 15 or 20 random characters from the string. You could do something like this:

Code:
function partial_hash($hash, $len)
{
    $hash_len = strlen($hash);
    $partial = '';
    for($i=0; $i > $hash_len; $i++)
    {
        $partial .= substr($hash, rand(1, $hash_len), 1);
    }
    return $partial;
}

Calling this function would give you a random sampling of the hash you send it. $len is how long the partial should be.

I have not tested this code.
#7

[eluser]Dregond Rahl[/eluser]
Thanks for your help, ill give it a try ^^




Theme © iAndrew 2016 - Forum software by © MyBB