1

Imagine I'm implementing the reset password link: The naive solution is to pass the id of person in URL (without encryption) and ask the new password and update the database. This is not safe as the user_id is visible to the user and they may change the URL; what is the remedy in this regard for security? As far as I know urlencode does not that much help, as it only converts the non alphabet characters to% and some other characters.

PS: My application is in PHP

Please let me know if you need more clarification.

user385729
  • 1,924
  • 9
  • 29
  • 42

2 Answers2

4

You should use tokens. When an user requests a password reset, you send an email to him containing an unique (I hope) token which later translates to the user account that password should be modified.

A token could be hash of a couple of things. For example hash(id + email + time()). As hash isn't reversible, isn't cryptography, you can create a simple table in database to store those tokens.

Andrey
  • 1,476
  • 1
  • 11
  • 17
1

I just developed something similar for my application. My idea was to generate a temporary password and attach a sort of key at the front of the temporary password. Once they login with the new password I check if the first couple chars match my key and if so redirect them to a password change page.

PHP

public function tempPass() {

$key = '$a4104_';

$alphabet = "abcdefghijklmnopqrstuwxyzABCDEFGHIJKLMNOPQRSTUWXYZ0123456789";
$pass = array(); 
$alphaLength = strlen($alphabet) - 1; //Creates a temp password
for ($i = 0; $i < 25; $i++) {
    $n = rand(0, $alphaLength);
    $pass[] = $alphabet[$n];
}
$pass = implode($pass); //turn the array into a string

//Apply whatever hash function you'd like here
$pass = md5($pass); //Note md5 is just an example

$pass = $key.$pass;

return $pass;

    //Possibly add a mail function here to send the user a new password

}

I placed this in my login script.

$tempCheck = substr($password, 0, 7);

if($tempCheck === '$a4104_') {
$temp = true;
    //They have a temporary password so redirect them
}else{
$temp = false;
    //Not using a temporary password
}
Subie
  • 373
  • 2
  • 16
  • 1
    `rand()` is not a suitable PRNG function for a security-sensitive function like token generation. See eg http://stackoverflow.com/questions/1182584/secure-random-number-generation-in-php – bobince Jan 08 '14 at 02:27
  • The function isn't trying to secure a password, just create one. You'll still need to apply whatever hash algorithm or techniques you might use to the string. I'll edit the post though. – Subie Jan 08 '14 at 02:43
  • @bobince: I agree. Subie don't use `rand()` at all - you're adding a weak link in the chain. – SilverlightFox Jan 08 '14 at 10:33
  • Adding a hash function doesn't make it any more secure, this does not add entropy. You would have to include secret key material before hashing to make the password non-guessable. – bobince Jan 08 '14 at 15:51
  • @bobince md5() was an example I'm assuming whoever uses the script will apply whatever security function they use to the password. Thanks for pointing out the rand() issue though. – Subie Jan 08 '14 at 16:55