I'm going to implements password recovery in my authentication. I haven't put this together in a while and wondering if there is anything I ought to be aware of.
My idea at the moment is:
- User clicks "Forgot my password" to go the password recover page: a
form with an email field - They enter their email, and an email is sent to that address with a
link and password recover token/key (MD5 string – it just needs to
be somewhat random and long right?). An entry is also made in the
password_recovery database table which ties that token to their
account, and an expire date (1 hour?) - They retrieve the email and click the link to take them to a
password set page: two fields to enter their password, and confirm
their password again. - Done, please login again with new password
Does that seem OK? Anything changed over the years where this approach is no longer recommended?
UPDATE
Additions that I opted for:
- I store the token in the database hashed. If a hacker we to be able to access the database table somehow, they wouldn't be able to use the stored tokens .. hopefully (hashed with sha256)
Best Answer
Yes, assuming emails are the primary form of authentication of your site.
Not that I know of.
Here are some points that you need to take into consideration.
What type of feedback you will give the user
When the email does not exist, what will you say and do?
If your system uses username, it might be better to ask for the username, not the email address. You send the recovery email to email address associated with the account, without disclosing it to the user.
How do you protect the process against abuse
The token
The token is really a One Time Password for a user account.
bin2hex(openssl_random_pseudo_bytes(16));
users
table, rather than a separate table.