8 Replies - 7819 Views - Last Post: 07 October 2010 - 06:43 PM Rate Topic: -----

#1 CodeVillain  Icon User is offline

  • D.I.C Head

Reputation: 11
  • View blog
  • Posts: 143
  • Joined: 10-July 10

Creating a "Forgot Password" for encrypted passwords

Posted 06 October 2010 - 03:51 PM

So, as much fun as it is to be able to be a creep and be able to view people's passwords, I've decided to start using .m5 password encryption. But this raises a problem, I'm now unable to just send users their passwords via email. So what I need to do is figure out how to create one of those emails with a link a user clicks on which then allows them to create a new password, but once again my google search attempts are failing me.

Could someone please send me a link to a website/tutorial that explains how to do this?

Is This A Good Question/Topic? 0
  • +

Replies To: Creating a "Forgot Password" for encrypted passwords

#2 creativecoding  Icon User is offline

  • Hash != Encryption
  • member icon


Reputation: 926
  • View blog
  • Posts: 3,205
  • Joined: 19-January 10

Re: Creating a "Forgot Password" for encrypted passwords

Posted 06 October 2010 - 05:58 PM

You can't decrypt MD5. It only encrypts. I recommend a reset password.
Was This Post Helpful? 0
  • +
  • -

#3 no2pencil  Icon User is online

  • Toubabo Koomi
  • member icon

Reputation: 5246
  • View blog
  • Posts: 27,062
  • Joined: 10-May 07

Re: Creating a "Forgot Password" for encrypted passwords

Posted 06 October 2010 - 06:58 PM

No no no no... md5 is not encryption it's a hash. That's why you can't go back.

When a user 'forgets' their password & you are using md5, you need to reset their password. I usually did this by changing it to random 4 letters & random 4 numbers, md5 hash that, store that hash into the database under their password, set a database column 'needtochangepassword' (or something) to 1, & then when they log in if their 'needtochangepassword' is set to 1, force them to update their password, & change 'needotchangepassword' to zero.

Make sense?

You can only compare the hashes. The original password technically no longer holds a value.

They know the password, you know the hash. Only you can change their password to compare it to the hash, thus making it more secure than plain text passwords.
Was This Post Helpful? 3
  • +
  • -

#4 CodeVillain  Icon User is offline

  • D.I.C Head

Reputation: 11
  • View blog
  • Posts: 143
  • Joined: 10-July 10

Re: Creating a "Forgot Password" for encrypted passwords

Posted 07 October 2010 - 05:39 PM

View Postno2pencil, on 06 October 2010 - 04:58 PM, said:

No no no no... md5 is not encryption it's a hash. That's why you can't go back.

When a user 'forgets' their password & you are using md5, you need to reset their password. I usually did this by changing it to random 4 letters & random 4 numbers, md5 hash that, store that hash into the database under their password, set a database column 'needtochangepassword' (or something) to 1, & then when they log in if their 'needtochangepassword' is set to 1, force them to update their password, & change 'needotchangepassword' to zero.

Make sense?

You can only compare the hashes. The original password technically no longer holds a value.

They know the password, you know the hash. Only you can change their password to compare it to the hash, thus making it more secure than plain text passwords.


Yep, that makes perfect sense. I'll set that up for now, however what I wanted to do was make it so that they get an email with a link which then forces them to change their password. Instead of generating a new password, sending them that password, then having them login and update their password there they could instead just click a link which would take them to a create new password page. I've seen this done before I just don't know how to do it myself.
Was This Post Helpful? 0
  • +
  • -

#5 no2pencil  Icon User is online

  • Toubabo Koomi
  • member icon

Reputation: 5246
  • View blog
  • Posts: 27,062
  • Joined: 10-May 07

Re: Creating a "Forgot Password" for encrypted passwords

Posted 07 October 2010 - 06:19 PM

View PostCodeVillain, on 07 October 2010 - 06:39 PM, said:

however what I wanted to do was make it so that they get an email with a link which then forces them to change their password.

Right, you tag the account as required to change by setting a database variable as described above. You can auto plug into the $_GET array their new/temporary username/password combo. This way they are already logged in, but cannot access the system until they actually change their password.

Quote

Instead of generating a new password, sending them that password, then having them login and update their password there they could instead just click a link which would take them to a create new password page.

Once they change their password, change the database value that checks for force to change back to zero so they can log in without having to change their password.

Scenario :

user clicks forgot password ->
server <- change db value 'forcechangepassword' to 1
server <- set user password 'temp1234'
server <- email user url example.com?user=user&pass=temp1234
user clicks email link ->
server <- logs user in via values in $_GET
server <- checks value of 'forcechangepassword', it's 1, force user to change
server <- send user to password change page
user -> changes password
server <- set 'forcechangepassword' to 0
Was This Post Helpful? 0
  • +
  • -

#6 creativecoding  Icon User is offline

  • Hash != Encryption
  • member icon


Reputation: 926
  • View blog
  • Posts: 3,205
  • Joined: 19-January 10

Re: Creating a "Forgot Password" for encrypted passwords

Posted 07 October 2010 - 06:23 PM

Ahh...

Mind telling the difference between encryption and hash?
Was This Post Helpful? 0
  • +
  • -

#7 no2pencil  Icon User is online

  • Toubabo Koomi
  • member icon

Reputation: 5246
  • View blog
  • Posts: 27,062
  • Joined: 10-May 07

Re: Creating a "Forgot Password" for encrypted passwords

Posted 07 October 2010 - 06:32 PM

A hash is a 32bit representation of a 'thing'. For example you can md5 hash a file, to test it's contents. Say I have a file & I pass it to md5. I now have a 32bit value that is for this file. I send you the file, but you don't know if the file is complete. You pass your copy of the file to md5 & we compare hashes. You now know, without a doubt that the file is or isn't 100% the same as what I sent to you. Is this encryption? No. It's a hash. Can you take the hash & make it into a file again?

So you can hash strings. You pass a string into md5, & you get a 32bit value. When someone gets ahold of your database, & issues a select * on the password field, they now have a ton of 32bit strings. Can they get the passwords back? No. So it works ok for security.

Encryption is a completely different animal. There are many different types of encryption, however I don't know a thing about any of them, so I can't really offer too much help. The one thing that I can say is you when you are working with encryption, the value of your item that is encrypted can be usable at both ends. Meaning you can always encrypt & decrypt the value back & forth.

Say you took the string 'hello world', & I said make all the o's into x's. This is a horrible example of encryption, but point being that we translate o to x. So you take your string 'hellx wxrld' & you send it to me. I pass it through my decryption that turns the x's to o's, & I have the readable, original string back.
Was This Post Helpful? 2
  • +
  • -

#8 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 6058
  • View blog
  • Posts: 23,495
  • Joined: 23-August 08

Re: Creating a "Forgot Password" for encrypted passwords

Posted 07 October 2010 - 06:38 PM

Like no2pencil states, hashing is a one-way, hopefully irreversible operation. For any one datum there is but one hash that will be generated (given a sufficient and proper algorithm; MD5 has demonstrated collisions, making it not truly a good algorithm any longer). For example, the MD5 hash for the word "password" is 5f4dcc3b5aa765d61d8327deb882cf99, and why one should always salt hashes prior to storing them; if you stored it as is, if found by a cracker it would be easily understood.

Encryption is always symmetric and relies on keys on both ends to encrypt/decrypt the data passed. If you lose the key, you lose your data.

Google and Wikipedia are a good source of information on this stuff.
Was This Post Helpful? 2
  • +
  • -

#9 creativecoding  Icon User is offline

  • Hash != Encryption
  • member icon


Reputation: 926
  • View blog
  • Posts: 3,205
  • Joined: 19-January 10

Re: Creating a "Forgot Password" for encrypted passwords

Posted 07 October 2010 - 06:43 PM

Wow! Thanks!
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1