I think you wouldn't even need to ask a security question if you are sending them their password to their email account (which I have to say is the preferred method). In the case where the password is encrypted, which generally is the case (or should be), it would be a "password reset" key that would then send instructions to their email that would allow them to reset it. To do this you'd store a unique ID in a database with the account ID, and send them a link to a page that uses that id in an uri query. Then compare that with your db and prompt a password reset. Try it out - see where you get.

I will second what eelixduppy said. While providing the email reset box, I would suggest adding one more box for First Name, so that a visitor can add his/her first name and the email address, and what eelixduppy just mentioned follows. This is to prevent people from randomly putting someone's email, and not exactly a security issue, but the person receiving those emails can get irritated with them or confused and change his passwords unnecessairly.

this is not always the case, the level of security depends on what it is you are trying to protect

often you wouldn't need a security question but for more secure applications it is advisable to include the extra level

Thank you all for your replies.

Regarding the issue of what form the password is in - yes it is an MD5 hash, so the original password must be reset. Accordingly, I've written out a workflow for my coding which goes like this:

1. User enters email address they used to create the account
2. database is queried based upon the email address entered
2a. if email address is found in the db:
2a1. the users unique account number is selected from the db
2a2. a uri is built which points to the "reset password page". the users unique account number will be included in the uri.
2a3. an email is sent to the user (using the email address found in the DB) which includes the uri as a link
2b. if the address is not found, the user is prompted with an error message
3. When the user receives the email sent in step 2a3, they click the URI provided
4. User is served the password reset page
5. The URI is parsed and put into a $_Session var
6. The user inputs and submits their new password and presses the submit button
7. The new password is MD5'd and compared against all other passwords in the DB
7a. If the password MATCHES an existing password in the DB, the user is prompted with an error message to select another password
7b. If the password submitted DOES NOT MATCH an existing password, the correct password field in the correct row (specified by the users account number) is updated with the new password.

Does the foregoing workflow appear to be correct?

Follow-on: I've used Hotmail's Lost Password link as the basis for the above. What they're also using is a captcha image that the user must input after they input thier email address (step 1) but before (obviously) the submit button is pressed.

Does this additional level of security (the captcha) sound appropriate as well?

Neophyte

>> 7. The new password is MD5'd and compared against all other passwords in the DB

why is it compared?

Jatar -

It's compared to all passwords in the db to make sure the new (reset) password desired by the user doesn't already exist for any other (or even the current) user.

I'm not sure this is the correct (or preferred) way of doing this... I'm just kind of feeling my way along this process.

no need to check it

the point is that the user/pass combination is always unique, the pass/email address is the part that always needs to be unique, don't worry about people having the same password

don't worry about people having the same password

. . . and don't do it.

You might give somebody a hint if you display back the same password exists message.

Habtom

good call Habtom

Jatar/Habtom -

Okay, I understand now. thanks for that clarification.

Aside from the comparing-passwords clarification:

1. Is it a good/preferred extra security concept to use a captcha (like Hotmail does) during the first step of resetting one's password, and...

2. is my proposed workflow for this functionality seem a solid one to those who have done this sort of thing before?

As always, thanks to all!

Neophyte

> 2a2. a uri is built which points to the "reset password page". the users unique account number will be included in the uri.

Don't reveal userid info to the public - this is likely your pkID on that table. Encrypt the userid before putting it in the url. Decrypt on the reset pwd page.

Either implement a captcha or limit the number of resets that can be executed in a time period to prevent brute force attacks.

limit the number of resets that can be executed in a time period to prevent brute force attacks

I like that, never thought about it

What's the plan:
add two col: reset_num and and reset_timestamp
where reset is auto-incremented

good catch stajer

I would use a security question over the captcha

limited resets is fine too