发表新帖
发表新帖

PHP password recovery

前端 未结
关注
4 1997
星月不相逢
星月不相逢 2020-12-28 20:32

I realize that for security that passwords should not be stored in a DB as plaintext. If I hash them, I can validate them for login purposes.

But if I want to set u

相关标签:
4条回答
  • 走了就别回头了
    2020-12-28 20:49

    You can not recover password that were hashed, neither should you.

    What you should do instead is:

    1. Put some verification on the password reset request, like CAPTCHA.
    2. Create an one-time random code and send a link with it to user's email.
    3. Have this code expire in, say, an hour.
    4. Have this code expire immediately once used.
    5. On the link with the code, if it validates, allow him to change his password.
    6. Notify him that the password was changed, but do not send it in the email.
    0 讨论(0)
  • 一个人的身影
    2020-12-28 21:00

    You can create a new (and randomly generated) password for user, and md5 it , and then send user via email.

    0 讨论(0)
  • 鱼传尺愫
    2020-12-28 21:03

    My process is as follows.

    1. User initiates a forgotten password request

    The user clicks a forgotten password link and then redirected to a reset password form where they are asked to enter their registered email address.

    2. Email address verified and token generated

    After the user has entered their email address, the system verifies that it exists in the database. If the email address is valid then a token is generated and stored in the database with the users credentials.

    3. Send recovery email

    An email is sent to the registered email address containing a link to a reset form, the link includes 2 GET parameters including the token and the users unique ID stored in the database.

    4. Reset password

    After the user clicks the link they are taken to the reset form. The system retrieves the 2 GET parameters from the URL and verifies they exist in the database. If the token is verified to exist in the database with the user then the user may be shown the reset password form fields to enter a new password.

    Security

    I suggest using BCrypt (available since PHP 5.3) to hash the passwords and for additional security, perhaps use some sort of expiration for the token so it can't be used after a period of time.

    0 讨论(0)
  • 情歌与酒
    2020-12-28 21:09

    You don't 'recover' passwords. What you do is one of 2 things.

    1. Email the user a link to create a new password, overriding the current one
    2. Email the user a randomly generated password, then ask them to change it
    0 讨论(0)
 看不清?
提交回复
热议问题