[nycphp-talk] online password replacement
Chris Hubbard
chubbard at next-online.net
Fri Mar 5 15:39:55 EST 2004
A better approach is:
On a request to recover the password,
Make sure the email address matches what is in the database,
Then change the password in the database to some random value,
Then send the user an email (using the email in the database) with a
link to a page where the user can change the password.
Make sure the emailed link can only be used once.
If you send their password to them via email, it's in plain text and can
be fairly easily intercepted.
You can improve on the above by adding challenge questions (Mother's
maiden name, What was the name of your high school, etc), but assumes
you've gathered those questions/answers during the registration process.
Chris
Dan Cech wrote:
> Allen Shaw wrote:
>
>> Hi All,
>>
>> I wonder if anyone here has experience implementing a
>> lost-password-recovery
>> function on a login-based website. We're soon to be opening up our
>> membership database to allow each individual to edit his or her own
>> records.
>> Naturally we have a login system in place, which our core staff is
>> already
>> using to access the database, but as of now any lost passwords would be
>> replaced manually by the administrator. If we open it to hundreds of
>> people
>> that will be too much to handle, so I need to develop a way for
>> people to do
>> it themselves (probably using an email address on file). I'm sure I can
>> create something that works, but I'm not confident yet to create
>> something
>> that both works and is fairly secure.
>>
>> I googled around but couldn't find fruitful keywords. Anybody have some
>> recommendations on how best to handle this feature, or some place on
>> the Web
>> to look around?
>
>
> A fairly standard approach is to simply generate a new random password
> and send it to the email address you have on file.
>
> If you have additional data about your clients on file you may be able
> to implement a system which used that data to authenticate the client,
> either then allowing them to change their password online or request a
> new password be sent to their stored email address.
>
> Dan
>
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
--
Chris Hubbard
Sr Software Developer
Next Online
425 563 4153
More information about the talk
mailing list