0

The problem:

I already built a HTML form where I first check if the email is in the form username@host.com and then if their email is in the database, send them an email with their temporary password so they can log in with that temporary password and reset their password. But I also wan't to keep out any bots that might be trying to get a list of all the existing emails in my site depending on the output that they get from the site e.g. "Your password has been reset ..." .

I've seen some sites that do this: If you try to retrieve your password with a wrong address then (I'm thinking) block their IP address for a specific amount of time lets say 1 hour. I would like to know if there's a way to solve this with PHP or javascript.

If there are any examples I can get for this problem would be great.

VaTo
  • 2,936
  • 7
  • 38
  • 77
  • just add a captcha in your page – Federkun May 27 '15 at 00:04
  • I was looking for something more professional looking and not as annoying as a captcha. – VaTo May 27 '15 at 00:04
  • Ask them to enter email address of their account and log their action! and limit their access to your "forgot password" page (e.g ban their access after requesting 2-3 times) – undone May 27 '15 at 00:07
  • 1
    @Leggendario Just adding any captcha won't work. Programs like xRumer can solve many captcha types automatically and built in. Others, send the captcha to a 3rd party where you pay like $0.005 for a captcha. – Wade May 27 '15 at 00:08
  • 3
    *"send them an email with their temporary password"* - Don't do this. Generate a unique and one-time key where they can reset their own password. Also adding that if they didn't ask for the reset, to simply delete the key after 24 hours and ignore the email. Next time the request is made, the other key gets automatically deleted. – Funk Forty Niner May 27 '15 at 00:14
  • considering how easy it is to get a list of email addresses, harvesting them from your site using this method seems sightly unlikely. –  May 27 '15 at 00:29

3 Answers3

1

You need a table in your database to hold the data.

When someone fills out the form, log it in the table. You need their IP and time.

When they fill out the form, pull up how many attempts they have made in the past x minutes. If they are greater than x attempts, block the form.

Bots will use proxies, so they could try 1,000 IP addresses for 10,000 attempts in a matter of minutes.

Adding a good captcha would be key. The ones where you have to choose a specific picture, something a bot really can't get past.

Going this route, you would want to setup a cron job to clear the old logs, so you don't have a million records slowing down your site. Have it run at say midnight, and clear all old logs past 24 hours or whatever time frames you feel are best for your setup.

Note: This is a baseline setup. You could store whatever data you need in the table. You could include their user-agent.. but at the bare-min, you would need the IP Address and the datetime they attempted the action. With that info, you can do an SQL query to see how many times in the past x minutes they have tried.

You could also use sessions and/or cookies.. However, a user can simply delete cookies and get rid of the session, and bots get past sessions and cookies too. So really, the best solution is to store the IP and time in a table, and handle it as you see fit.

Without you posting some code, I really can't justify writing one up for you. We are here to help, not to do the programming for other people.

Wade
  • 3,757
  • 2
  • 32
  • 51
  • I like this idea. Do you have more details about this by any chance? For example how can I get the user IP address. I can implement that recaptcha thing later, I'm interested in how I can do this with PHP. Thanks for your response. – VaTo May 27 '15 at 00:11
  • 1
    How to get a person's IP has been covered many many times, all over SO and the internet. Here is a related SO question: http://stackoverflow.com/questions/15699101/get-the-client-ip-address-using-php – Wade May 27 '15 at 00:12
1

I'd recommend adding a captcha on your sign-up page:

See - Google ReCaptcha

Captchas are widely used, and especially the recently new released Google Captcha takes a lot of the "annoyance" away, since it - most of the time - only needs the user to check a checkbox.

Frank
  • 614
  • 1
  • 8
  • 31
0

There are a few options for this situation. As several have said you could add a Captcha, it's not 100% foolproof but it's a good solution.

From a security standpoint, I wouldn't send a temporary password to the user, rather send the user a link to a page where they can change the password themselves. You will want to either generate a one time key that they can enter on the site before changing their password, or generate the link So that it contains the one time pass code and have your application pick it up. Also, whether you take the one time pass code approach, or you send the user a temporary pass code, make sure that there is a timeout in how long they have to change the password. You can just set a time stamp on their record in the database and check against it when they try to enter their code/change password

Mike Hamilton
  • 1,519
  • 16
  • 24