LampCMS development and php tips

How do you make a 'forgotten password'form when passwords are hashed?

The only way to do this is to generatea new random password and email it to user

A user will then be able to login andchange the password or he can just keep using

his new random password.

One important thing to remember is thatyou should not have your form

automatically reset the password andemail to user, you need to email a link with a special

code that when clicked (from email)will cause the password to be reset.

This is because if you were to resetthe password immediately upon user entering his username or emailaddress, then anyone could enter a valid username and that wouldcause the password of that user to be reset. Sure, the cracker willnot gain any access because the new password will still be emailedonly to the real owner of account, but this trick would cause aproblem for an unsuspecting user.

That's why you need to have this extrastep in the password reset process: send a special link with embeddedcode, then if a user have not requested that link, to harm is done,he can just ignore that email. A program should also set thetimestamp for when this unique code was generated so that it couldonly be valid for a short amount of time, say 24 hours.

Our site employs all these steps andeven an extra method to check for crack attempts: if someone tries to'guess' that secret code in the password reset link, a system willdetect multiple failed attempts and will stop allowing any furthertries to reset the password.

A hacker will then have to wait for 'n'minutes before even being able to try to reset the password again.