1

I need to know if there is some kind of known algorithm to generate security codes. This is the scenario:

I have a web application, where the users has a password and an email to be identified and authenticated into the application. In case the user forgots his password, I was required to enable the funcionality of recovering it in the following way:

This should wor

  1. k with a window, where the user enter his email, and click on a button called "forgot password" (or something similar)
  2. This button should send a security code to the users email
  3. Then the application redirects the user to a new page, where the user must enter the security code received in his inbox
  4. If the security code entered by the user is valid, then he is redirected to a page where he can introduce a new password.

What I'm looking for, is for some kind of known ways to generate the security code (step 2) and to validate this security code (step 4)

Thanks in advance

Fernando Moyano
  • 1,097
  • 4
  • 15
  • 29

4 Answers4

6
  1. Generate a random code.
  2. Store it in your database.
  3. On the new page, load it back and compare to user input.

There's no cryptography required here.

Blorgbeard
  • 101,031
  • 48
  • 228
  • 272
  • Same comment, simpler than what I've thought – Fernando Moyano Feb 15 '12 at 13:56
  • 2
    `There's no cryptography required here.` - Well, not *quite* true. You want to use a cryptographically-secure PRNG, or else it will be easy to guess previous/future security codes. Fortunately, using a cryptographically-secure PRNG is [pretty simple in C#](http://stackoverflow.com/questions/1668353/how-can-i-generate-a-cryptographically-secure-pseudorandom-number-in-c) – BlueRaja - Danny Pflughoeft Feb 15 '12 at 15:11
4
  • Create an unique code with something like 20 characters. (numeric, alpha and special characters )
  • Save it in a database with a timestamp
  • send the code to the user.
  • make sure the code only works for something like 24 hours
Melvin
  • 3,421
  • 2
  • 37
  • 41
2

You can use Message authentication code for this purpose.

Kuldeep Jain
  • 8,409
  • 8
  • 48
  • 73
  • A MAC is not really required as it’s you that generates the token and for validation you only need to check whether it exists in the database. – Gumbo Feb 15 '12 at 14:01
1

As told in the previous answer you can generate a random number and also a 32 bit string key, store in the database and pass it to the page. Ask the user to enter the number, but the 32 bit should be placed as a hidden value in the page. Once the user enters the number and submits both the values will come to the backend and you can verify that. If matches then allow or generate a new one and render the page again. This avoids guessing as well as brute forcing.

raddykrish
  • 1,866
  • 13
  • 15