Geek Answers Handbook

Storing passwords in mysql ... use the hash correctly? but how do you send a forgotten password to a user?

I am involved in storing user passwords in mysql, and the ubiquitous answer is to store it using an encryption algorithm such as MD5 or SHA1. But what if user x forgot the password and wants it to be sent to her? What then? I can’t send her the md5 hash! How this issue is addressed in the real world. Are there two databases? One for comparing hashes and another for forgotten passwords? But what's the difference, both will be read-only when the sql user connects to it. So how do you do this? Thanks!!

+7
source share
3 answers

This is a pretty standard security practice to never send users your password. Instead, you offer a reset password utility tied to their ability to access their email account and / or the ability to answer a question about their profile (for example, a security question or what zip code they live for).

Functional circuit:

  • The user clicks the "forgot password" button
  • The user enters information about security problems (email address, if necessary).
  • The system sends a reset password via e-mail with an automatically generated link (generated GUID in case of a request)
  • The system creates a reset password entry containing the reset GUID, for which user it is intended, and when the key will be disabled.
  • The user receives an email, clicks on the link.
  • The system maps the GUID, deletes the reset password, sends the user to the reset password.
+10
source

The best solution is to send the user a link in which they can enter a new password without entering a forgotten one.

This link should work only once, and it should work only a few hours.

Do not create a new password and send it by mail; users will be tempted to use this password (ignoring the fact that it was transmitted over an insecure channel).

+3
source

You are right that passwords should not be stored in plain text ( they must be hashed ) and, therefore, cannot be delivered to users who have forgotten the password.

Essentially, what you want is a way around your regular authentication scheme, and you should first know that such a mechanism is the back door of the application.

Very often, an assumption is made that only the desired user can access the emails sent to the email address registered in your application. It is on this basis that the "standard" password reset is based. Here I take on the following:

  • A page with a forgotten password is requested, and the user is prompted to enter their registered email address in the form, which they then send
    • The receiving code checks if the registered email address is indeed registered, and if it is:
      • remove the existing reset password for this address from the corresponding store
      • create and save a new reset password for this address
      • send an email to a user who tells them that
        • "someone" requested a reset password
        • to click the link if they really want to reset
        • ignore email if they did not request a reset
      • reply to the form message with a page that says something like a line , if the registered address has been registered, and then a reset message is sent "
    • If the sent address was not registered in the application, then do nothing, but reply to this message with a page that says something like a line , if the registered address was registered and then reset the message is sent "- the same as if the address was valid (this makes it difficult for someone to find the email addresses registered in the application).
  • Then the user receives the forgotten password by e-mail and clicks on the link to it. The link delivers a reset token to the application.
  • After receiving the reset password, the code checks if the token exists in the store and that it has not expired. If they are correct, then you assume that this must be a registered user who sent the token, and you can allow them to set a new password (a simple form with password and password entries and a submit button that contains zero personal information - even their name).
  • Once the password is set, you can direct the user to the login page, where they enter their credentials, as usual.

This is not an ideal scheme. This is a compromise between security and convenience, and make no mistake that it is the back door of the application. For low value applications, it is usually good enough.

Further reading:

+2
source

More articles:


All Articles