Web Design Forums

jesusfreak101 · 07-05-2008, 18:20

I've been working on a php login for a couple days and I have all my files and database working correctly. In my database called members i have a table calles members. In it i have 6 rows:

ID, username, user_password, firstname, lastname, email

Now im creating a 'forgot password' script. I got a script and it works good, except the password that it retrieved was encrypted. I wanted it to retrieve the password without it being encrypted. the encryption i have set up is sha1. Below is my forgotpassword.php script. Would anyone be kind to show how to make it retrieve it without the encryption?

PHP Code:


		
			
<?
include('db.php');

// value sent from form
$email_to=$_POST['email'];

// table name
$tbl_name = members;

// retrieve password from table where e-mail = $email_to(whatever@whatever.com)
$sql="SELECT user_password FROM $tbl_name WHERE email = '$email_to'";
$result=mysql_query($sql);

// if found this e-mail address, row must be 1 row
// keep value in variable name "$count"
$count=mysql_num_rows($result);

// compare if $count =1 row
if($count==1){

$rows=mysql_fetch_array($result);

// keep password in $your_password
$your_password=$rows['user_password'];

// ---------------- SEND MAIL FORM ----------------

// send e-mail to ...
$to=$email_to;

// Your subject
$subject="Your password here";

// From
$header="from: your name <your email>";

// Your message
$messages= "Your password for login to our website \r\n";
$messages.="Your password is $your_password \r\n";
$messages.="more message... \r\n";

// send email
$sentmail = mail($to,$subject,$messages,$header);

}

// else if $count not equal 1
else {
echo "Sorry, we did not find your email in our database";
}

// if your email succesfully sent
if($sentmail){
echo "Your Password Has Been Sent To Your Email Address.";
}
else {
echo "Cannot send password to your e-mail address";
}

?>

much thnx appreciated

freelancr · 07-05-2008, 18:34

sha1 is a hashing algorithm and is intended to be irreversible. As such your "forgot password" script will need to identify the user by other means, then generate and send them a new password to use to log in.

jesusfreak101 · 07-05-2008, 18:36

Quote:

Originally Posted by freelancr

sha1 is a hashing algorithm and is intended to be irreversible.

should i make it md5 then?

haku · 08-05-2008, 01:32

No, MD5 hashes it in the same manner that Sha1 does.

You can't retrieve a hashed password in an un-hashed form. Its a one way road.

What I have done is this:
1) When the user clicks 'forgot password', I bring them to a page where they input the email address they registered with. The user inputs their email address and then...
2) my script creates a random 20 character alphanumeric code. I hash this, and put it in the database. Then I append the unhashed version as a get variable to confirm.php, so it looks like this: confirm.php?number=askld23432kl324kl32jklj234 or something. I email this link to the account that the person registered under.
3) When the user clicks the link, they are taken to confirm.php. The first thing I do is grab $_GET['number'], hash it, and check to see if the hashed version is in the database. If it is, then I output an input into which the user has to again type their email address (this is an extra step to confirm that the person hasn't just started poking in random $_GET variables to see if they can find one that works).
4) After inputting their email address, I bring them to a page where I first check to see if that email address was correct. If it was, they enter their new password into a form and hit submit, and the script updates their password in the database with the new password.

That's the thing about passwords if they are done correctly - only the user ever knows what they are. They aren't visible when the user types it in (due to everything outputting as asterix's), and they are hashed before entry in the database, so even the administrator doesn't know the user's password. And in this way they can never be recovered, only overwritten.

seen.to · 08-05-2008, 02:25

Quote:

Originally Posted by haku

No, MD5 hashes it in the same manner that Sha1 does.

You can't retrieve a hashed password in an un-hashed form. Its a one way road.

What I have done is this:
1) When the user clicks 'forgot password', I bring them to a page where they input the email address they registered with. The user inputs their email address and then...
2) my script creates a random 20 character alphanumeric code. I hash this, and put it in the database. Then I append the unhashed version as a get variable to confirm.php, so it looks like this: confirm.php?number=askld23432kl324kl32jklj234 or something. I email this link to the account that the person registered under.
3) When the user clicks the link, they are taken to confirm.php. The first thing I do is grab $_GET['number'], hash it, and check to see if the hashed version is in the database. If it is, then I output an input into which the user has to again type their email address (this is an extra step to confirm that the person hasn't just started poking in random $_GET variables to see if they can find one that works).
4) After inputting their email address, I bring them to a page where I first check to see if that email address was correct. If it was, they enter their new password into a form and hit submit, and the script updates their password in the database with the new password.

That's the thing about passwords if they are done correctly - only the user ever knows what they are. They aren't visible when the user types it in (due to everything outputting as asterix's), and they are hashed before entry in the database, so even the administrator doesn't know the user's password. And in this way they can never be recovered, only overwritten.

jesusfreak101 · 08-05-2008, 12:19

so my best bet is to reset the password?

Hunch · 08-05-2008, 13:00

Quote:

Originally Posted by haku

2) my script creates a random 20 character alphanumeric code. I hash this, and put it in the database. Then I append the unhashed version as a get variable to confirm.php, so it looks like this: confirm.php?number=askld23432kl324kl32jklj234 or something. I email this link to the account that the person registered under.

Why?

What benefit does it serve you keeping a hashed version in the database, when you're sending them an unhashed version via unencrypted email? You're trying to hide the random code from yourself!?

pgo · 08-05-2008, 13:15

Quote:

Originally Posted by Hunch

Why?

What benefit does it serve you keeping a hashed version in the database, when you're sending them an unhashed version via unencrypted email? You're trying to hide the random code from yourself!?

Good point. I'd just generate a random string and email it to them.

haku · 08-05-2008, 13:37

Just for an added level of disconnect between what's in the database, and what is emailed to the person. I realize that I would have much bigger problems if someone had access to my database, but I still feel better with that in there than not.

jesusfreak101 · 08-05-2008, 17:02

i unhashed the registered passwords that would sign up so that the user would be able to receive it unhashed whenever they'd like to receive it. my script works perfect in all, but i was wondering....is this bad? i know haku said that its a problem if someone had access to his database. but what are some other defects?

pgo · 08-05-2008, 17:17

Quote:

Originally Posted by jesusfreak101

i unhashed the registered passwords that would sign up so that the user would be able to receive it unhashed whenever they'd like to receive it.

So, your website is totally insecure. Awesome.

jesusfreak101 · 08-05-2008, 17:26

Quote:

Originally Posted by pgo

So, your website is totally insecure. Awesome.

lol i never understood how hackers would hack ppl's passwords with php

freelancr · 08-05-2008, 18:29

Quote:

Originally Posted by jesusfreak101

i unhashed the registered passwords that would sign up so that the user would be able to receive it unhashed whenever they'd like to receive it. my script works perfect in all, but i was wondering....is this bad? i know haku said that its a problem if someone had access to his database. but what are some other defects?

How are you unhashing a hash? Or are you talking about storing the password in plain text alongside the hashed version? How do you remember to keep breathing in and out?

You asked for advice, and you have ignored it and gone off in your own little world. Why fucking ask in the first place? Waste of bloody time.

Larixk · 08-05-2008, 18:59

Remember that most visitors use the same password for multiple sites. So when your sites security gets breached, and f.i. password + email info is acquired, the hackers will often be able to log into your visitors webmail accounts and so completely steal someone's identity.

One ignorant developer on one arbitrary site can lead to serious problems for people. Don't be that developer.

Always hash+salt, never store any dangerous info unencrypted.

jesusfreak101 · 08-05-2008, 19:15

Quote:

Originally Posted by freelancr

You asked for advice, and you have ignored it and gone off in your own little world. Why fucking ask in the first place? Waste of bloody time.

i was looking for a quick fix, and plus my future goal is to reset the password.

but thnx for ur comment

i will use ur guy's info

haku · 09-05-2008, 03:37

What happens is people don't necessarily get raw access to your database, but they find an opening in your code somewhere, and they exploit that to do a database dump. They will dump out the contents of whatever table they find that they can get in to. If that table happens to be your table with the passwords in it, they now have a list of all your users and all their passwords, which they can use to not only get in to your site, but as LarixK said, they often can get into other people's sites as well.

Look through the procedure I outlined above, and spend a bit of time developing something along the same lines. If you don't do so, it's not that fair to your users. If you want to be able to change passwords, then you create another form somewhere that lets you input a password that then updates the database with that password for whatever user it is you are working on.

jesusfreak101 · 12-05-2008, 14:10

how do big sites like mysapce and youtube send you your actual password instead of a reset? do they have them hashed or do they convert them?

pgo · 12-05-2008, 14:43

Don't know. They probably use a custom/reversible hashing algorithm.

freelancr · 12-05-2008, 15:10

Quote:

Originally Posted by jesusfreak101

how do big sites like mysapce and youtube send you your actual password instead of a reset? do they have them hashed or do they convert them?

Knowing myspace they probably dont bother doing anything to the password and store it as plain text.

Facebook probably use encryption if they don't reset the password.

haku · 12-05-2008, 19:38

Just because they are big, doesn't mean they are doing it right.

07-05-2008, 18:20	#1 (permalink)
jesusfreak101 ie must die Join Date: Jun 2007 Location: Washington Posts: 206	php forgot password I've been working on a php login for a couple days and I have all my files and database working correctly. In my database called members i have a table calles members. In it i have 6 rows: ID, username, user_password, firstname, lastname, email Now im creating a 'forgot password' script. I got a script and it works good, except the password that it retrieved was encrypted. I wanted it to retrieve the password without it being encrypted. the encryption i have set up is sha1. Below is my forgotpassword.php script. Would anyone be kind to show how to make it retrieve it without the encryption? PHP Code: <? include('db.php'); // value sent from form $email_to=$_POST['email']; // table name $tbl_name = members; // retrieve password from table where e-mail = $email_to(whatever@whatever.com) $sql="SELECT user_password FROM $tbl_name WHERE email = '$email_to'"; $result=mysql_query($sql); // if found this e-mail address, row must be 1 row // keep value in variable name "$count" $count=mysql_num_rows($result); // compare if $count =1 row if($count==1){ $rows=mysql_fetch_array($result); // keep password in $your_password $your_password=$rows['user_password']; // ---------------- SEND MAIL FORM ---------------- // send e-mail to ... $to=$email_to; // Your subject $subject="Your password here"; // From $header="from: your name <your email>"; // Your message $messages= "Your password for login to our website \r\n"; $messages.="Your password is $your_password \r\n"; $messages.="more message... \r\n"; // send email $sentmail = mail($to,$subject,$messages,$header); } // else if $count not equal 1 else { echo "Sorry, we did not find your email in our database"; } // if your email succesfully sent if($sentmail){ echo "Your Password Has Been Sent To Your Email Address."; } else { echo "Cannot send password to your e-mail address"; } ?> much thnx appreciated

07-05-2008, 18:34	#2 (permalink)
freelancr Web Developer Join Date: Oct 2006 Location: Stratford-upon-Avon, Warwickshire, UK Posts: 1,848	sha1 is a hashing algorithm and is intended to be irreversible. As such your "forgot password" script will need to identify the user by other means, then generate and send them a new password to use to log in. __________________ codekeepers \| web developer

08-05-2008, 01:32	#4 (permalink)
haku shiro Join Date: Aug 2007 Location: Yokohama, Japan Posts: 1,306	No, MD5 hashes it in the same manner that Sha1 does. You can't retrieve a hashed password in an un-hashed form. Its a one way road. What I have done is this: 1) When the user clicks 'forgot password', I bring them to a page where they input the email address they registered with. The user inputs their email address and then... 2) my script creates a random 20 character alphanumeric code. I hash this, and put it in the database. Then I append the unhashed version as a get variable to confirm.php, so it looks like this: confirm.php?number=askld23432kl324kl32jklj234 or something. I email this link to the account that the person registered under. 3) When the user clicks the link, they are taken to confirm.php. The first thing I do is grab $_GET['number'], hash it, and check to see if the hashed version is in the database. If it is, then I output an input into which the user has to again type their email address (this is an extra step to confirm that the person hasn't just started poking in random $_GET variables to see if they can find one that works). 4) After inputting their email address, I bring them to a page where I first check to see if that email address was correct. If it was, they enter their new password into a form and hit submit, and the script updates their password in the database with the new password. That's the thing about passwords if they are done correctly - only the user ever knows what they are. They aren't visible when the user types it in (due to everything outputting as asterix's), and they are hashed before entry in the database, so even the administrator doesn't know the user's password. And in this way they can never be recovered, only overwritten. __________________ This is not a signature.

08-05-2008, 13:37	#9 (permalink)
haku shiro Join Date: Aug 2007 Location: Yokohama, Japan Posts: 1,306	Just for an added level of disconnect between what's in the database, and what is emailed to the person. I realize that I would have much bigger problems if someone had access to my database, but I still feel better with that in there than not. __________________ This is not a signature.

08-05-2008, 18:59	#14 (permalink)
Larixk Senior Member Join Date: Sep 2006 Location: Utrecht, Netherlands Posts: 856	Remember that most visitors use the same password for multiple sites. So when your sites security gets breached, and f.i. password + email info is acquired, the hackers will often be able to log into your visitors webmail accounts and so completely steal someone's identity. One ignorant developer on one arbitrary site can lead to serious problems for people. Don't be that developer. Always hash+salt, never store any dangerous info unencrypted. __________________ larixk.nl/

08-05-2008, 12:19	#6 (permalink)
jesusfreak101 ie must die Join Date: Jun 2007 Location: Washington Posts: 206	so my best bet is to reset the password?

08-05-2008, 17:02	#10 (permalink)
jesusfreak101 ie must die Join Date: Jun 2007 Location: Washington Posts: 206	i unhashed the registered passwords that would sign up so that the user would be able to receive it unhashed whenever they'd like to receive it. my script works perfect in all, but i was wondering....is this bad? i know haku said that its a problem if someone had access to his database. but what are some other defects?

09-05-2008, 03:37	#16 (permalink)
haku shiro Join Date: Aug 2007 Location: Yokohama, Japan Posts: 1,306	What happens is people don't necessarily get raw access to your database, but they find an opening in your code somewhere, and they exploit that to do a database dump. They will dump out the contents of whatever table they find that they can get in to. If that table happens to be your table with the passwords in it, they now have a list of all your users and all their passwords, which they can use to not only get in to your site, but as LarixK said, they often can get into other people's sites as well. Look through the procedure I outlined above, and spend a bit of time developing something along the same lines. If you don't do so, it's not that fair to your users. If you want to be able to change passwords, then you create another form somewhere that lets you input a password that then updates the database with that password for whatever user it is you are working on. __________________ This is not a signature.

12-05-2008, 14:10	#17 (permalink)
jesusfreak101 ie must die Join Date: Jun 2007 Location: Washington Posts: 206	how do big sites like mysapce and youtube send you your actual password instead of a reset? do they have them hashed or do they convert them?

12-05-2008, 14:43	#18 (permalink)
pgo Moderator Join Date: Jan 2005 Location: Brooklyn, NYC Posts: 11,869	Don't know. They probably use a custom/reversible hashing algorithm. __________________ Find good advice in the beginners web design thread. patrick o'neill web developer \| blog \| spam humor

12-05-2008, 19:38	#20 (permalink)
haku shiro Join Date: Aug 2007 Location: Yokohama, Japan Posts: 1,306	Just because they are big, doesn't mean they are doing it right. __________________ This is not a signature.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search