[OWASP_PHPSEC] Forgot Password?

Abbas Naderi abiusx at owasp.org
Sat Jun 8 09:02:15 UTC 2013


Yes there is no need for a temporary pass, and no need for a separate table. It should be stored in general application data table. The GUID should be generated cryptographically securely.
-A
On Khordad 18, 1392, at 10:56 AM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:

> But after studying google's and facebook's password recovery, I think it would be sufficient if we just generate a long random string and allot it a time-window. Then return this long string to application. The application can however process it, like send this string embedded in a URL and then send this URL to user's email.
> 
> When user submits this generated link, and it matches in the DB, and time-frame is also correct, then let user change their password.
> 
> 
> On Sat, Jun 8, 2013 at 2:01 AM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:
> For this functionality, I am doing something like this:
> 
> If the user invokes the forgot password function, then a separate table entry will be created with a separate long random ID, request time and hash of the temporary password of strength = 0.6.
> The long ID and the new password will be returned by this function.
> 
> The application can take this ID and password and can use however they want. Such as they can pass these details in a URL, or can send them in user's email.
> 
> Next time this ID is invoked, the table will check the time, if more than 15 min has passed, then invalidate the password. Otherwise, check the temp password. Calculate its hash. If correct, let the user change its password.
> 
> If anyone has any other idea or see a flaw in this...please point out.
> 
> -- 
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
> 
> 
> 
> -- 
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130608/2105c229/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list