1

Imagine I'm implementing the reset password link: The naive solution is to pass the id of person in URL (without encryption) and ask the new password and update the database. This is not safe as the user_id is visible to the user and they may change the URL; what is the remedy in this regard for security? As far as I know urlencode does not that much help, as it only converts the non alphabet characters to% and some other characters.

PS: My application is in PHP

Please let me know if you need more clarification.

Improve this question
1
  • 1
    create a 1 shot password reset token, put in email and log in db Commented Jan 7, 2014 at 19:40

2 Answers 2

Reset to default
4

You should use tokens. When an user requests a password reset, you send an email to him containing an unique (I hope) token which later translates to the user account that password should be modified.

A token could be hash of a couple of things. For example hash(id + email + time()). As hash isn't reversible, isn't cryptography, you can create a simple table in database to store those tokens.

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

why didn't i think of that ;-)
Thanks for your solution :) by hash you mean sendidng the user_id which is encoded + a key?
Anyone can calculate sha1($user_id).
Token should be random.
Either the token needs to be random and stored, or it needs to be signed with a MAC (typically HMAC over a server secret key). Either way it should stop working when it has been used or after a certain amount of time has passed.
|
1

I just developed something similar for my application. My idea was to generate a temporary password and attach a sort of key at the front of the temporary password. Once they login with the new password I check if the first couple chars match my key and if so redirect them to a password change page.

PHP

public function tempPass() {

$key = '$a4104_';

$alphabet = "abcdefghijklmnopqrstuwxyzABCDEFGHIJKLMNOPQRSTUWXYZ0123456789";
$pass = array(); 
$alphaLength = strlen($alphabet) - 1; //Creates a temp password
for ($i = 0; $i < 25; $i++) {
    $n = rand(0, $alphaLength);
    $pass[] = $alphabet[$n];
}
$pass = implode($pass); //turn the array into a string

//Apply whatever hash function you'd like here
$pass = md5($pass); //Note md5 is just an example

$pass = $key.$pass;

return $pass;

    //Possibly add a mail function here to send the user a new password

}

I placed this in my login script.

$tempCheck = substr($password, 0, 7);

if($tempCheck === '$a4104_') {
$temp = true;
    //They have a temporary password so redirect them
}else{
$temp = false;
    //Not using a temporary password
}
Improve this answer

5 Comments

rand() is not a suitable PRNG function for a security-sensitive function like token generation. See eg stackoverflow.com/questions/1182584/…
The function isn't trying to secure a password, just create one. You'll still need to apply whatever hash algorithm or techniques you might use to the string. I'll edit the post though.
@bobince: I agree. Subie don't use rand() at all - you're adding a weak link in the chain.
Adding a hash function doesn't make it any more secure, this does not add entropy. You would have to include secret key material before hashing to make the password non-guessable.
@bobince md5() was an example I'm assuming whoever uses the script will apply whatever security function they use to the password. Thanks for pointing out the rand() issue though.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.