Welcome to WebmasterWorld Guest from 54.167.102.69

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

'Forgotten password' script

     
2:15 pm on Sep 2, 2004 (gmt 0)

New User

10+ Year Member

joined:Sept 2, 2004
posts:12
votes: 0


Hello,

I need to be able to send automatic emails to users on my website who have forgotten their passwords. I have a few questions:

The passwords are stored in a MySQL database using the MD5() function. I understand this is one-way encryption. Is there a way for it to be de-encrypted by a PHP script?

Secondly, I have no clue whatsoever about sending automated emails, and I was wondering what my options are? Is my host likely to support sending automatic emails? And where could I learn about how to send them?

Thanks in advance :)

Hannah

2:33 pm on Sept 2, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:Apr 17, 2002
posts:601
votes: 0


hannahd welcome to WebmasterWorld!

As far as I know there is no way to decrypt md5 passwords, your best bet would be to have a secure page that would be linked from the email where they could reset the password to something different. Possibly include a security question. Mothers madien name something like that.

with php mail() [us4.php.net] would be your best bet. Its not overly hard to use. Follow the link and it will take you the the php manual.

2:37 pm on Sept 2, 2004 (gmt 0)

New User

10+ Year Member

joined:Sept 2, 2004
posts:12
votes: 0


Thanks very much, Knowles. :)

Very useful. :)

3:06 pm on Sept 2, 2004 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8129
votes: 91


Welcome hannahd,

First, no, you cannot undo an MD5 hash. If you find the alogrithm to do so, you can receive a ten thousand dollar prize. So what you will need to do is,
- generate a random password
- reset the password in the DB to the new random password
- perhaps set a time limit for the user to log in with the new password and reset it.
- send the password to the user.

For the random password part, just google on "php random password" and you'll find several short scripts that will do that for you.

Then you update the DB with the new password and get the user's email from the DB.

Use the php mail() [php.net] function to send the mail.

That should get you started.

Tom

5:03 pm on Sept 2, 2004 (gmt 0)

New User

10+ Year Member

joined:Sept 2, 2004
posts:12
votes: 0


Thanks Tom :)

It must be possible to de-encrypt the MD5 value as when the user logs on with his password, it will be in English. It is obviously matched up against the MD5 value, so it's finding the key somewhere.

6:25 pm on Sept 2, 2004 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12533
votes: 0


Nope. What happens is the password that the user entered is encrypted and the two encrypted values are compared.
7:01 pm on Sept 2, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:Apr 17, 2002
posts:601
votes: 0


yeah make sure the db field where it is stored is long enough... it will save you hours even days in my cause of debugging trying to figure out why the passwords dont match.
7:20 pm on Sept 2, 2004 (gmt 0)

New User

10+ Year Member

joined:Sept 2, 2004
posts:12
votes: 0


I made it a varchar field of size 50. I have also made it so the passwords are never any longer than 10 characters. Is this okay?
8:31 pm on Sept 2, 2004 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8129
votes: 91


Actually, the length of the password and the length of the field are totally independent.

A common use for md5 is to verify that a file has survived transfer without corruption. So I can do an md5 hash of a 10GB file and it will be 32 characters. If I do a md5 hash of nothing at all, I get a 32-character string as well. So your password field, if using the php md5() function, should have a length of 32.

Tom

dcrombie

10:40 am on Sept 3, 2004 (gmt 0)

Inactive Member
Account Expired

 
 


You're very brave if you set it to 32 exactly. I made that mistake when crypt used standard DES encryption (13 chars).

The site stopped working entirely when moved to another server and was a PITA to debug.

2:06 pm on Sept 3, 2004 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8129
votes: 91


That's why I specified, if using md5(), not crypt() which will depend on various things. According to the manual for md5(),


The hash is a 32-character hexadecimal number

The md5 spec merely requires that it be a 128-bit hash, but the php manual (I guess it's not a spec) says that output will be 32 characters unless you are using PHP5 and use the "raw_output" parameter, in which case it will be 16 characters.