Forgot password

Hello

I am working on a forgot password script.
When a user puts in their email address, a password will be emailed to them.

The problem is all my passwords are md5 encrypted. When the email is sent, it gives them the encrypted password.

You don’t send them their original password. You send them a randomly created one, which you store encrypted in the database.

yes, you should give them a temporary password for one time login access. After that they can restore their password.

A more secure option is to create a new random password and set its hashed version (don’t forget the salt) as the new password for the user account. Then send the unhashed version to the user in an email with an instruction to change their new password to something else when the next log in. When they next log in with their new password, prompt them to change their password to something else and don’t let them do anything else until they have successfully done so. This way, “in theory”, only the user gets to see the unhashed new password in their email.

btw - if you google md5/sha1 hashing I think you’ll find the general consnsus is that sha1 is a better hashing alogorithm than md5.

You can give a temporary password for one time uses

Just one point that hasn’t been mentioned - hashing is a one way process and it is not possible to work out what their original password was from the hash as there are millions of possible values that all produce the same hash. Of course they most likely used the shortest one but there’s no reason why someone couldn’t use the text of “war and peace” as their password if they didn’t mind spending months each time to log in.

When you generate the new temporary password don’t forget that the old password should still work, too, as long as the user hasn’t set the new password yet. The forgot password form could be used by anyone so someone might enter someone else’s email address and send the form (either by mistake or intentionally). If the old password stopped working at that moment then the user the account belongs to will be blocked.

Another approach would be to simply send a one-time link with a unique code that will enable the user to set a new password - so no need to generate a random password. The link would lead the user to a form where they can set the password. However, it’s a good idea to make the link expire soon, for example after 24 hours.

Dear Leo Tolstoy.

The password you required has already been taken.

Please choose another one.

Damn, that took me 7 years …