Sending secure temporary password
Question
I am creating a forgotten password page and will be emailing a temporary password to the user so they can log in and reset their password.
What should I take into account when creating the password, what is the best method.
An idea I had is something like: $temporarypassword = sha1($_SERVER['REMOTE_ADDR'])
In an attempt to only allow them to login from the ip address where they requested the temp password. What is the best way to do this??
Code so far:
if(strpos($_SERVER['HTTP_REFERER'],'domain.com') && ($_POST['forgotpasstoken'] == sha1($_SESSION['token'].'forgotpassword'))){
if(isset($_POST['forgotemail']) && !empty($_POST['forgotemail'])){
$email = mysql_escape_string(trim($_POST['forgotemail']));
if(filter_var($email, FILTER_VALIDATE_EMAIL) === FALSE){
echo '<div class="error">Please enter a valid email address.</div>';
} else {
$sql = "SELECT email FROM users WHERE email = '$email' LIMIT 1";
$res = mysql_query($sql) or die(mysql_error());
if (mysql_num_rows($res) > 0) {
//If email/user exists
$temporarypassword = sha1($_SERVER['REMOTE_ADDR'])
//EMAIL PASSWORD HERE
echo '<div class="success">A temporary recovery password has been emailed to you.</div>';
//If email/user exits
} else {
echo '<div class="error">This email is not registered.</div>';
}
}
} else {
echo '<div class="error">Please enter an email address.</div>';
}
}
2 answers
solution1
2 ACCPTED 2011-10-21 11:36:48
Use just a random string: it's more than likely that user tries to log in from eg iPhone, fails, requests a new password, and only opens the link when he's at his home PC. IPs are different, device is different, everything's different.
solution2
1 2011-10-21 21:21:02
If you're emailing the password, there is no way to make it fully secure. Email is transmitted in plain text. And like alf said, the user may reset the password from a different IP address than the one they requested it from.
One option would be to create a random string, then display half of it on the password reset page (after the reset request is made) and half of the string in the email. Then require the user to enter both halves in a form before letting them choose a new password.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.