Re: PHP, Md5, and password retreival forms..
- From: "shimmyshack" <matt.farey@xxxxxxxxx>
- Date: 29 Mar 2007 09:34:21 -0700
On 29 Mar, 17:13, custom...@xxxxxxxxx wrote:
On Mar 29, 10:23 am, Floortje <l...@xxxxxxxxxxxxxxxxxxxxxx> wrote:
custom...@xxxxxxxxx schreef:
I have designed a site that requires users to login. Me being new to
php, I hired a guy to help me setup the database. He set it up and it
works flawlessly. Well.. instead of helping me finish the project, he
has pretty much dissapeared.
Looking at the code, the passwords are stored using Md5 encryption in
the database. I was able to get a password retrieval form working,
but its sending the passwords encrypted.
Can they be retrieved unencrypted via form?
No
You need to reset the password.
--
Arjenhttp://www.hondenpage.com
Thanks! Allthe work I put into it did me no good, but keeps me from
continuing on the wrong path.
I appreciate the response.
This has ben said here before, but it isn't possible without SSL or a
js implementation of assymmetic encryption to /change/ the password.
Because hashes are one way it is not possible to let either party see
something that cannot be sniffed along the way. However using email
has similar difficulties due to its inherent insecurity, but it can be
made secure if the user gets their email using SSL webmail or secure
pop.
When a user wishes to change their password, first they must proove to
your system that they know a little bit about the user whose password
they wish to change, so asking an email address and user is OK, but
not great. Then your server needs to find those two in the same row of
the database - which is why you ask for it on signup - and set a
random string in the "reset" column of the same row perhaps, and send
an email to that user "someone probably you has requested to reset
your password" click here if you wish this, or don't do anything.
The nere link is of the form
<a href="https://server.com/pass_reset.php?id=random_string";>here</a>
the script looks up the random string, and knows which password to
reset, the markup for pass_reset.php is just a form asking for the new
password twice, and a hint which can be stored in a new "hint" column
of the same table. this is done over SSL so it's secure, the server
then md5 or sha1(password) and the thing is stored against the random
string row. An email can then be sent as confirmation, together with
the hint.
It's not great, in fact this is a _whole_ area but this follows the
model of a lot of forums, it's a good trade off between inconvenience
and security, like not posting armed guards at hospitals, or swimming
with iron underwear in a zone where sharks are sometimes seen.
.
- References:
- PHP, Md5, and password retreival forms..
- From: custommx3
- Re: PHP, Md5, and password retreival forms..
- From: Floortje
- Re: PHP, Md5, and password retreival forms..
- From: custommx3
- PHP, Md5, and password retreival forms..
- Prev by Date: Re: For loop and while loop. which one is faster?
- Next by Date: Re: Reboot Linux Service with PHP
- Previous by thread: Re: PHP, Md5, and password retreival forms..
- Next by thread: Re: PHP, Md5, and password retreival forms..
- Index(es):
Relevant Pages
|
