General Question

frankielaguna's avatar

[PHP] Forgot Password Help?

Asked by frankielaguna (256points) January 11th, 2009

I’m working for a client and they want to be able to recover their users passwords with a lovely forgot password script. They want the passwords to be emailed to them, I’ve already explained that using a password reset would be the best way of going about that. But nope they want the passwords to be sent to them.

I usually use a salted md5 hash for passwords and such, but it’s not reversible(well easily ;) )

I was looking at base64 but that’s not really an encryption as it is more of an encoding.

Does anyone have any suggestions on what to use?

Observing members: 0 Composing members: 0

11 Answers

philo23's avatar

You could try using the built in PHP crypt() function, you pass the string and a salt you want to encrypt, then to decrypt it use the decrypt() function and the same salt. That should give you the same password back. Though really you should try to push for a randomly generated password on reset.

introv's avatar

There is no solution to this problem really. If you use any method that allows you to transfer back to the password then you create a security hole for all users.

If you wanted to get seriously involved in this sort of thing you could create a key pair for each users password and store it on a different machine to the database. But even then you risk getting your security machine hacked and all of the keys gettting stolen so mucho security is required.

Unless the client has a lot of money to spend I would probably go back and say that the best way for this to be achieved is to store the passwords in the database in plain text and see if that worries them enough to accept a random generated pass.

frankielaguna's avatar

@philo23 There is no decrypt function for crypt()

frankielaguna's avatar

@introv yeah :( This has been a pain in the ass. I think I’ll just build in the reset function and hear about it later. haha

philo23's avatar

Ah yes, my bad, i was thinking of the mcrypt() function, but that can be a pain to get installed and working. Sorry about that.

Vincentt's avatar

I’d say tell them that it’s insecure and store the passwords plaintext :P

You could also generate a new random password, then email that. That way, you’d meet the clients demands yet have a secure (well, as secure as the email account) system.

funkdaddy's avatar

Reversible Encryption (one example) will allow you to send the email like the client wants and keep some form of security from someone just taking the database contents and being able to view the passwords.

Is it as secure? No, but it’s a good solution with the constraints given.

Grisson's avatar

@frankielaguna Your initial instincts are right on target. Sending passwords via e-mail is never a good idea. Nothing is more disturbing to me than seeing my password appear in an e-mail from a vendor or service provider. Even the initial verification e-mail. That tells me that they store my password, and I usually won’t do business with them.

funkdaddy's avatar

That may be a better option than trying to explain plaintext and hashes to someone who doesn’t deal in things like that. Tell them you know people who do not do business with folks who store their password as it’s a sign they don’t take the security of the user’s information seriously.

Everyone understands money.

frankielaguna's avatar

@funkdaddy Awesome! This will work perfectly! Thanks!!!!

Response moderated (Spam)

Answer this question

Login

or

Join

to answer.

This question is in the General Section. Responses must be helpful and on-topic.

Your answer will be saved while you login or join.

Have a question? Ask Fluther!

What do you know more about?
or
Knowledge Networking @ Fluther