[OWASP_PHPSEC] Forgot Password?

rahul chaudhary rahul300chaudhary400 at gmail.com
Sat Jun 8 06:01:04 UTC 2013

For this functionality, I am doing something like this:

If the user invokes the forgot password function, then a separate table
entry will be created with a separate long random ID, request time and hash
of the temporary password of strength = 0.6.
The long ID and the new password will be returned by this function.

The application can take this ID and password and can use however they
want. Such as they can pass these details in a URL, or can send them in
user's email.

Next time this ID is invoked, the table will check the time, if more than
15 min has passed, then invalidate the password. Otherwise, check the temp
password. Calculate its hash. If correct, let the user change its password.

If anyone has any other idea or see a flaw in this...please point out.

Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130608/17b9e709/attachment.html>

More information about the OWASP_PHP_Security_Project mailing list