Reply to Re: PHP, Md5, and password retreival forms..

Your name:

Reply:


Posted by shimmyshack on 03/29/07 16:34

On 29 Mar, 17:13, custom...@gmail.com wrote:
> On Mar 29, 10:23 am, Floortje <l...@zingmaarmetmijmee.enel> wrote:
>
>
>
> > custom...@gmail.com schreef:
>
> > > I have designed a site that requires users to login. Me being new to
> > > php, I hired a guy to help me setup the database. He set it up and it
> > > works flawlessly. Well.. instead of helping me finish the project, he
> > > has pretty much dissapeared.
>
> > > Looking at the code, the passwords are stored using Md5 encryption in
> > > the database. I was able to get a password retrieval form working,
> > > but its sending the passwords encrypted.
>
> > > Can they be retrieved unencrypted via form?
>
> > No
>
> > You need to reset the password.
>
> > --
> > Arjenhttp://www.hondenpage.com
>
> Thanks! Allthe work I put into it did me no good, but keeps me from
> continuing on the wrong path.
>
> I appreciate the response.

This has ben said here before, but it isn't possible without SSL or a
js implementation of assymmetic encryption to /change/ the password.
Because hashes are one way it is not possible to let either party see
something that cannot be sniffed along the way. However using email
has similar difficulties due to its inherent insecurity, but it can be
made secure if the user gets their email using SSL webmail or secure
pop.

When a user wishes to change their password, first they must proove to
your system that they know a little bit about the user whose password
they wish to change, so asking an email address and user is OK, but
not great. Then your server needs to find those two in the same row of
the database - which is why you ask for it on signup - and set a
random string in the "reset" column of the same row perhaps, and send
an email to that user "someone probably you has requested to reset
your password" click here if you wish this, or don't do anything.
The nere link is of the form
<a href="https://server.com/pass_reset.php?id=random_string">here</a>
the script looks up the random string, and knows which password to
reset, the markup for pass_reset.php is just a form asking for the new
password twice, and a hint which can be stored in a new "hint" column
of the same table. this is done over SSL so it's secure, the server
then md5 or sha1(password) and the thing is stored against the random
string row. An email can then be sent as confirmation, together with
the hint.
It's not great, in fact this is a _whole_ area but this follows the
model of a lot of forums, it's a good trade off between inconvenience
and security, like not posting armed guards at hospitals, or swimming
with iron underwear in a zone where sharks are sometimes seen.

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация