1

According to this other post, I need to:

PHP password recovery You don't 'recover' passwords. What you do is one of 2 things.

  1. Email the user a link to create a new password, overriding the current one.
  2. Email the user a randomly generated password, then ask them to change it.

I've bitten off a huge project, and I desperately request working examples, or at least your best advice on how to do this; for ex: #1 email user link to create a new password, overriding the current one. I am told the db has password salting, and uses Blowfish. I really do not know exactly what that means, and I am going over the code to try to figure out how to add a "Reset Password?" link to their current login page.

Then, if you are so inclined, could you assist with how to email the user a randomly generated pw, then as them to change it [#2 above?

The tasks are as-is and I don't know what code to provide so far; I'm hoping someone who has done this can show me what works, and I will try to implement it. I appreciate your help!

Community
  • 1
  • 1
dcparham
  • 291
  • 4
  • 17
  • Wikipedia has a page explaining password salting: http://en.wikipedia.org/wiki/Salt_(cryptography) – Micha Wiedenmann Mar 03 '13 at 21:47
  • Not sure anyone can help you if you don't know what salting is or how to identify the kind of hashing used or how the salt is applied. You'll have to read the code and see how it is applied or any examples given here will be useless to you. – scartag Mar 03 '13 at 21:48
  • 2
    You say you've bitten off a huge project, but based on what you're asking, it sounds more like you signed up for a project you're dreadfully unqualified for. The work you're trying to complete is something which, if a small mistake is made, could expose the site to huge security problems. Why not do your reputation a favor, and do the person you agreed to work for a favor, and gracefully walk away until you're qualified. – mah Mar 03 '13 at 21:56
  • i really hope this is not for any site i have an account on. –  Mar 03 '13 at 21:59
  • I've dreaded that I may not be qualified, but I've conquered previous projects starting from nothing, and need just a little more info before calling this quits. I'm still in the process of discovery and wanted to see what you guys thought about the complexity and scope of what is being asked of me. Is there anything tangible you can put in front of me, vs just pointing out I may simply be unqualified? [hash is sha1, and wondering if i can reuse his code]. I do get your point, however [and will not rule it out!] I hope to hear from you, and a genuine thx for your willingness to help. – dcparham Mar 03 '13 at 23:56
  • didn't see such a link in my original search for assistance, but here is one as an example. http://stackoverflow.com/questions/3164978/php-help-with-password-reset-and-token-expiry/3165017#3165017. still, a genuine thx for the sobering reflections/advice. – dcparham Mar 04 '13 at 01:09

1 Answers1

4

The usual way to generate password resets looks like this:

  1. Check that the email address belongs to a registered user.
  2. Generate a random unpredictable code.
  3. Store this code hashed in the database, together with the user-id and an expiry date.
  4. Send a link with this code to the given email address, so only the user itself will get this link.
  5. When the user clicks the link, extract the code, and check if its hash is in the database.
  6. If it is in the database and did not already expire, you know the user-id and you can allow the user to enter a new password (do not send a self generated password to the user).
  7. Mark the code as used or delete it from the database.

I hope this could give you an idea of the necessary steps. If you want to learn more about BCrypt and salting, you can have a look at this tutorial about hashing passwords.

martinstoeckli
  • 23,430
  • 6
  • 56
  • 87
  • I am working closely with the company president, and will not produce code not absolutely vetted by him. Many thanks for warnings, and ideas alike. – dcparham Mar 05 '13 at 03:31