how to retrieve forgotten password?

scorpioy

Like applying an email account, besides to set a password, website normally ask the user to set some special addtional questions and answers that are easy for the user to remember. In case that the user forget the password, password can be retrieved by correctly answering those special addtional questions.

My first try of implement this idea:

there has to be a table that stores plain password in mysql for retrieving and reminding the user password
the password is encripted at server side and is stored in both encripted and unencripted form
if the user forgets the password, ask the user the answers of those special addtional questions, which only has encripted version. This implies that if the user forgets these answers, nobody is able to retrieve the password any more.

Because of 1 and 2, I thought that encription can only take place at Apache server side in order to store the plain password version, but then plain password is transmitted via the internet which has a high risk of security concern.

Any one knows good idea of solving this problem?

rachel2004

If the concern is transmitting plain text passwords, why not use SSL to encrypt the link between client and server?

scorpioy

what I am asking is how to deal with the situation of forgetting password for a friendly user. I proposed that idea, but I know there is security problem. SSL might work for that. Are there any other ideas, such as the idea of encripting password at client side?

drew010

if you are really that concerned about transmitting unencrypted then you will need to use javascript or something client side to encrypt it before sending. there is a javascript implementation of md5 here (you need to view source to get it). The only problem with md5 is that it is irreversable so you will have to reset a person's password rather than send it back to them. in any case, be it emailing them their forgotten password or just showing it to them on the website, it requires sending it unencrypted (unless you use ssl over http). if you decide to encrypt the password client side you can use ssl to make the user create a new password thru a form if they forget it since you wouldn't be able to show them the original.
i think you may be going a little overboard unless the people who will be using your site are either wanted criminals with the gov packet sniffing their internet connection or spies with other people sniffing their connection.
with the enormous amount of data travelling over the internet at any given time intercepting someones transmission would take great skills and if they had the ability to sniff a huge network or isp i would imagine they are looking for something other than a password to a person's account on your site. just my 2c. dont make it more complicated than it needs to be.

TheDefender

An option I have used in the past is this:

Have them fill out the "lost password" form by answering the verification question, and providing the email addy they registered with. In this script, de-activate the account by changing an "active" column in the table from yes to no.

Then send an activation email to the user that they have to click on the link to re-activate the account. (I usually send the encrypted password as part of the link for activation)

Once they click the link, tell them they have to reset their password, at which point in time, they do so.

This does a few things... 1) Confirms it is the right user, and 2) Gives them a sense of security to know you aren't storing their passwords plain text. 3) Allows them to set a password they know, and (hopefully) can remember.

I wouldn't recommend using any method of encryption that can be decrypted, because that defeats the purpose of the encryption to begin with. And don't ever email unencrypted passwords. (That comes from my IT profession)

scorpioy

Originally posted by TheDefender
An option I have used in the past is this:

Have them fill out the "lost password" form by answering the verification question, and providing the email addy they registered with. In this script, de-activate the account by changing an "active" column in the table from yes to no.

Then send an activation email to the user that they have to click on the link to re-activate the account. (I usually send the encrypted password as part of the link for activation)

Once they click the link, tell them they have to reset their password, at which point in time, they do so.

This is a good idea, which uses user provided email addresss as the authentication.

But I'm not sure why bother to have a 'status' column. Is it for the reason that if the user don't activate the account for a certain period, the account can be deleted from the database?

How to make that re-activate link (with encrypted password)?

Thanks a lot.

TheDefender

Originally posted by scorpioy
This is a good idea, which uses user provided email addresss as the authentication.

But I'm not sure why bother to have a 'status' column. Is it for the reason that if the user don't activate the account for a certain period, the account can be deleted from the database?

How to make that re-activate link (with encrypted password)?

Thanks a lot.

The user provided email address works best when bounced against the verification questions, so you have a pretty good idea that it's the right account.

I have a "status" column in case the account is inactive for say... 30 days, but I want to keep it in the DB for 90. This way, they can still reactivate their account without creating a new one. I have been known to not use an account for something for a month myself, so I give my users a break. At the 30 day mark, an email is sent to them reminding them to reactivate their account. That's why I use it, but I guess it's a matter of personal opinion.

To make the link, I generate a random access code and encrypt that. I also query the DB to pull their password, and I compile the link like so:
http://thedomain.com/activate.php?aid=ENCRYPTEDPW-ENCRYPTEDCODE
I also send the unencrypted access code so the user has to manually enter that.

When they click the link, the activate page prompts the user for the activation code I sent them and their user name. They enter that info, and it queries the DB for the username and encrypted PW combo. If it passes that, it encrypts their access code, and bounces it against the encrypted one in the URL. If it passes all of that, it activates the account, and sets the password to the access code, and advises the user they must create a new password to proceed. (If they don't enter a new password, they have to go through the entire procedure again, since the PW was changed to the encrypted access code, so the original link won't work for them.)

It may be overkill, it may have flaws, but it works for me, and my users. I haven't had any problems doing it this way, nor have any of my clients.