[OWASP_PHPSEC] Forgot Password?
rahul300chaudhary400 at gmail.com
Sat Jun 8 06:26:59 UTC 2013
But after studying google's and facebook's password recovery, I think it
would be sufficient if we just generate a long random string and allot it a
time-window. Then return this long string to application. The application
can however process it, like send this string embedded in a URL and then
send this URL to user's email.
When user submits this generated link, and it matches in the DB, and
time-frame is also correct, then let user change their password.
On Sat, Jun 8, 2013 at 2:01 AM, rahul chaudhary <
rahul300chaudhary400 at gmail.com> wrote:
> For this functionality, I am doing something like this:
> If the user invokes the forgot password function, then a separate table
> entry will be created with a separate long random ID, request time and hash
> of the temporary password of strength = 0.6.
> The long ID and the new password will be returned by this function.
> The application can take this ID and password and can use however they
> want. Such as they can pass these details in a URL, or can send them in
> user's email.
> Next time this ID is invoked, the table will check the time, if more than
> 15 min has passed, then invalidate the password. Otherwise, check the temp
> password. Calculate its hash. If correct, let the user change its password.
> If anyone has any other idea or see a flaw in this...please point out.
> Rahul Chaudhary
> Ph - 412-519-9634
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP_PHP_Security_Project