PHP Forgot Password Function
I have a small community website and I need to implement some sort of forgotten password function. I currently store the passwords in the DB, encrypted with MD5.
Is
-
According to this post The definitive guide to forms based website authentication, for step 3. and 4., I'm not sure you should send the same token you are storing.
I guess you must send the token, then hash it and stored the hashed token in DB. Otherwise, if your database is compromised, one can have access to the reset password page.
To summarize :
$token = md5(microtime (TRUE)*100000); $tokenToSendInMail = $token; $tokenToStoreInDB = hash($token);where hash is a hashing algorithm.
讨论(0) -
The best thing for you to do is request people submit their email address when registering. Then if they forget, have a forgot password link which resets their password with a random value which is emailed to them so they can gain access and then change their password back to something more memorable. This way you don't need to compromise the security. You could have a link which they just need to submit their username into, butfor better security you should have a question and answer or memorable word.
讨论(0) -
As Marcus Reed stated, in 2015/2016 if you have PHP version >=5.5 don't use MD5, password_hash() and password_verify() provide an easy and secure hashing for your password with the ability to provide a cost and automatically salts the hash.
I don't have the ability to vote or comment currently which is why I'm providing a definitive statement to avoid confusion.
讨论(0) -
No, MD5 is irreversible. The point of hashing passwords is to make it so an attacker who gets access to your database can't access everyone's passwords.
That said, MD5 (particularly unsalted MD5) can generally be attacked using a rainbow table. For security, you're better off using bcrypt.
讨论(0) -
MD5 is intended to be a one-way hash. You will need to have them reset their password.
讨论(0) -
Use php's built in password_verify and password_hash.
讨论(0)
加载中...
- 热议问题