InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more

Menu
  • Home
  • Sitemap

Python Programming Language Best Tutorials and Code Examples

Learn Python Right Now!
Home
PHP
Dealing with Lost Passwords in PHP
PHP

Dealing with Lost Passwords in PHP

InfinityCoder December 20, 2016

You want to issue a password to a user who has lost her password.

Generate a new password and send it to the user’s email address (which you should have on file):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
/* Generate new password. */
$new_password = '';
for ($i = 0; $i < 8; $i++) {
     $new_password .= chr(mt_rand(33, 126));
}
 
/* Hash new password. */
$hashed_password = password_hash($new_password, PASSWORD_DEFAULT);
 
/* Save new hashed password to the database. */
$st = $db->prepare('UPDATE users
              SET password = ?
              WHERE username = ?');
 
$st->execute(array($hashed_password, $clean['username']));
 
/* Email new plain text password to user. */
mail($clean['email'], 'New Password', "Your new password is: $new_password");

Note that this code uses the PHP 5.5–only password_hash() function.

The one-way nature of hashing prevents you from retrieving the plain-text password.
Instead, generate a new password and send that to her email address. If you send the new password to an address you don’t already have on file for that user, you don’t have a way to verify that the new address really belongs to the user.

It may be an attacker attempting to impersonate the real user.
Because the email containing the new password isn’t hashed, the code in the Solution doesn’t include the username in the email message to reduce the chances that an attacker that eavesdrops on the email message can steal the password.

To avoid disclosing a new password by email at all, let a user authenticate herself without a password by answering
one or more personal questions (the answers to which you have on file).

These questions can be “What was the name of your first pet?” or “What’s your mother’s maiden name?”
—anything a malicious attacker is unlikely to know. If the user provides the correct answers to your questions, you can let her choose a new password.
One way to compromise between security and readability is to generate a password for a user out of actual words interrupted by some numbers:

1
2
3
4
5
6
7
8
9
10
11
12
$words = array('mother', 'basset', 'detain', 'sudden', 'fellow', 'logged',
               'remove', 'snails', 'direct', 'serves', 'daring', 'chirps',
               'reward', 'snakes', 'uphold', 'wiring', 'nurses', 'regent',
               'ornate', 'dogmas', 'mended', 'hinges', 'verbal', 'grimes',
               'ritual', 'drying', 'chests', 'newark', 'winged', 'hobbit');
 
$word_count = count($words);
$password = sprintf('%s%02d%s',
                    $words[mt_rand(0,$word_count - 1)],
                    mt_rand(0,99),
                    $words[mt_rand(0,$word_count - 1)]);
echo $password;

This code produces passwords that are two six-letter words with two numbers between them, like mother43hobbit or verbal68nurses.

The passwords are long, but remembering them is made easier by the words in them.
Sending a new password to a user’s email address implicitly assumes that the person reading the email at that address is authorized to log in.

Based on that assumption you could also just email the user a one-time-use URL. When she visits that URL, show her a page that lets her reset her password.

If the URL is sufficiently hard to guess, then you can be confident that only the email recipient will access it.

Share
Tweet
Email
Prev Article
Next Article

Related Articles

Skipping Selected Return Values in PHP
A function returns multiple values, but you only care about …

Skipping Selected Return Values in PHP

Finding the Largest or Smallest Valued Element in an Array in PHP
You have an array of elements, and you want to …

Finding the Largest or Smallest Valued Element in an Array in PHP

About The Author

InfinityCoder
InfinityCoder

Leave a Reply

Cancel reply

Recent Tutorials InfinityQuest

  • Adding New Features to bash Using Loadable Built-ins in bash
    Adding New Features to bash Using Loadable …
    June 27, 2017 0
  • Getting to the Bottom of Things in bash
    Getting to the Bottom of Things in …
    June 27, 2017 0

Recent Comments

  • fer on Turning a Dictionary into XML in Python
  • mahesh on Turning a Dictionary into XML in Python

Categories

  • Bash
  • PHP
  • Python
  • Uncategorized

InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more

About Us

Start learning your desired programming language with InfinityQuest.com.

On our website you can access any tutorial that you want with video and code examples.

We are very happy and honored that InfinityQuest.com has been listed as a recommended learning website for students.

Popular Tags

binary data python CIDR convert string into datetime python create xml from dict python dictionary into xml python how to create xml with dict in Python how to write binary data in Python IP Address read binary data python tutorial string as date object python string to datetime python

Archives

  • June 2017
  • April 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
Copyright © 2021 InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more
Programming Tutorials | Sitemap