[OWASP_PHPSEC] Forgot Password?

rahul chaudhary rahul300chaudhary400 at gmail.com
Sat Jun 8 06:26:59 UTC 2013


But after studying google's and facebook's password recovery, I think it
would be sufficient if we just generate a long random string and allot it a
time-window. Then return this long string to application. The application
can however process it, like send this string embedded in a URL and then
send this URL to user's email.

When user submits this generated link, and it matches in the DB, and
time-frame is also correct, then let user change their password.


On Sat, Jun 8, 2013 at 2:01 AM, rahul chaudhary <
rahul300chaudhary400 at gmail.com> wrote:

> For this functionality, I am doing something like this:
>
> If the user invokes the forgot password function, then a separate table
> entry will be created with a separate long random ID, request time and hash
> of the temporary password of strength = 0.6.
> The long ID and the new password will be returned by this function.
>
> The application can take this ID and password and can use however they
> want. Such as they can pass these details in a URL, or can send them in
> user's email.
>
> Next time this ID is invoked, the table will check the time, if more than
> 15 min has passed, then invalidate the password. Otherwise, check the temp
> password. Calculate its hash. If correct, let the user change its password.
>
> If anyone has any other idea or see a flaw in this...please point out.
>
> --
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
>



-- 
Regards,
Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130608/762759c9/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list