PHP Security and Encryption Dealing with Lost Passwords

PHP Security and Encryption

Dealing with Lost Passwords

Problem

You want to issue a password to a user who has lost her password.

Solution

Generate a new password and send it to the user’s email address (which you should have on file):

       /* Generate new password. */

       $new_password = '';

       for ($i = 0; $i < 8; $i++) {

       $new_password .= chr(mt_rand(33, 126));

       }

       /* Hash new password. */

       $hashed_password = password_hash($new_password, PASSWORD_DEFAULT);

       /* Save new hashed password to the database. */

       $st = $db->prepare('UPDATE users

                                              SET password = ?

                                              WHERE username = ?');

       $st->execute(array($hashed_password, $clean['username']));

       /* Email new plain text password to user. */

       mail($clean['email'], 'New Password', "Your new password is: $new_password");

Note that this code uses the PHP 5.5–only password_hash() function. If you’re using an older version of PHP, follow the recommendations.

Discussion

If a user forgets her password, and you store hashed passwords as recommended, you can’t provide the forgotten password. The one-way nature of hashing prevents you from retrieving the plain-text password.

Instead, generate a new password and send that to her email address. If you send the new password to an address you don’t already have on file for that user, you don’t have a way to verify that the new address really belongs to the user. It may be an attacker attempting to impersonate the real user.

Because the email containing the new password isn’t hashed, the code in the Solution doesn’t include the username in the email message to reduce the chances that an attacker that eavesdrops on the email message can steal the password. To avoid disclosing a new password by email at all, let a user authenticate herself without a password by answering one or more personal questions (the answers to which you have on file). These questions can be “What was the name of your first pet?” or “What’s your mother’s maiden name?” —anything a malicious attacker is unlikely to know. If the user provides the correct answers to your questions, you can let her choose a new password.

One way to compromise between security and readability is to generate a password for a user out of actual words interrupted by some numbers:

       $words = array('mother', 'basset', 'detain', 'sudden', 'fellow', 'logged',

                                    'remove', 'snails',  'direct',  'serves',   'daring', 'chirps',

                                    'reward',  'snakes','uphold','wiring',  'nurses', 'regent',

                                    'ornate',  'dogmas','mended','hinges','verbal', 'grimes',

                                    'ritual',    'drying',  'chests', 'newark', 'winged','hobbit');

       $word_count = count($words);

       $password = sprintf('%s%02d%s',

                                             $words[mt_rand(0,$word_count - 1)],

                                             mt_rand(0,99),

                                             $words[mt_rand(0,$word_count - 1)]);

       echo $password;

This code produces passwords that are two six-letter words with two numbers between them, like mother43hobbit or verbal68nurses. The passwords are long, but remembering them is made easier by the words in them.

Sending a new password to a user’s email address implicitly assumes that the person reading the email at that address is authorized to log in. Based on that assumption you could also just email the user a one-time-use URL. When she visits that URL, show her a page that lets her reset her password. If the URL is sufficiently hard to guess, then you can be confident that only the email recipient will access it.