close ad
WARNING: Do Not Install the DREAMWEAVER CC 2017 or 2018 Update »
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Advice on creating a "Forgotten Password?" function?

Thread began 1/30/2017 5:17 pm by Nathon Jones Web Design | Last modified 2/03/2017 3:12 pm by Ray Borduin | 552 views | 8 replies |

Nathon Jones Web Design

Advice on creating a "Forgotten Password?" function?

I need to add a "Forgotten Password" option to a sign in form which, as I understand, is best if you simply reset the password as opposed to sending it to the user by e-mail, which could be intercepted. Right?

1) Sign in page
2) Sign in fails - display link to Reset Password page
3) Ask user to enter email address to reset their password. Upon submission, the system writes a temporary password to database and e-mails it to the e-mail address.
4) User receives an e-mail with a link to a page that asks them to log in using the temporary password displayed in that e-mail.
5) Once logged in, they are forced to reset the password to something else - in case the reset password e-mail is intercepted.

Is that the best approach?

How do I generate a random password in Step 3 above?

Thank you.
NJ

Sign in to reply to this post

Ray BorduinWebAssist

It has nothing to do with intercepting email. When you encrypt your passwords in your database you can't send them to the user. That is why you would use a reset password rather than sending it.

Webassist has a binding for a random password you can use if that is the technique you want to use. Your technique seems valid.

Sign in to reply to this post

Nathon Jones Web Design

I see that, in the SecurityAssist menu. I'll check that out.

"When you encrypt your passwords in your database...".... :(
Can you elaborate?

Sign in to reply to this post

Ray BorduinWebAssist

Database content is notoriously targeted by hackers and often breached. You have seen it happen to even large companies like Sony, Verizon, and Target in recent years.

One way to protect data is to store it with one-way encryption. We have several encryption options with Data Bridge that can be used. If a database stores information encrypted, then even if someone gets ahold of your database content they won't be able to make sense of the data in it.

Sign in to reply to this post

Nathon Jones Web Design

I've never really understood encryption. In the case of a password, does that mean that what's stored in the database isn't the actual password itself? So when a user types their password into a password form field and submits it, a function converts that into the encrypted...what?....series of letter, numbers, characters etc and if it matches then they're in?

Can't the encryption be worked out, or is it a case of infinitesimal combinations that would take years to work out?

So should this just be applied to passwords or ALL user data in a database? Sounds like it should be the later.

I have Data Bride and Data Assist. How do I access these options?

Thank you.
NJ

Sign in to reply to this post

Ray BorduinWebAssist

In the case of passwords you can use hashed encryption. What gets stored in the database is a seemingly random string of numbers and letters. When your user logs in you encrypt the value they enter and compare it again and if the encrypted strings match they are let in.

The original hashed value is inaccessible, so it isn't appropriate for most fields. That is where two way salted encryption comes in. A salted encryption can be retrieved from an encrypted field if you have the original encryption string "salt" value used to encrypt it. Then the salt can be saved outside of the database in the php code. Then if someone gets your database they won't be able to decipher the data unless they also get a hold of your salt value. Since getting data from a database and getting data from php are both difficult for a hacker, getting both at once would be more difficult and therefor your data is protected.

The drawback to using a two-way encryption for data is that you can no longer do keyword or partial match searches. Any search would need to be exact match. So really you should only hash passwords and only encrypt fields that contain sensitive enough data that you are ok with the accompanying search restrictions.

In the webassist database I hash the password field and use two way encryption on the email address, phone number, last name, and street address fields. If someone were to get their hands on our database they would only know the first names, city, and state of our users which they couldn't do much with.

There are of course a lot of complications and considerations that you have to use once you start using encryption. For instance you would want to enforce a strict format for phone number if you encrypt it, otherwise it would be impossible to search. I convert all email entries to lower case, again to allow searching more easily. It adds quite a few layers of complexity.

Sign in to reply to this post

Nathon Jones Web Design

Is this option within one of the WebAssist extensions? I'm struggling, as it is, setting up a registration page (just with a plain text password).

I see there is an "Email Encrypted Password" option in the SecurityAssist menu and "Encrypted Password Return"...is that the correct option?

I'm not clear how I set this up on my registration page.

Hope you can help. Thank you.
NJ

Sign in to reply to this post

Ray BorduinWebAssist

If you are using a plain text password then you can just send the password using Universal email. Just filter a recordset with the entered email address and then send the password returned from the recordset in the email body with a trigger so that it only sends if the recordset is not empty.

The easiest way to do all of this is using the Security Assist wizard as it will create the registration, login, and forgot password pages for you.

Sign in to reply to this post

Ray BorduinWebAssist

My advice is to plan exactly what you want to do and then think of the steps. There are many ways to do forgot password. The simplest is not encrypted password and send it. Encrypted you either use a reset password link with a key or set a temporary password and send it. Additional security measures could include answering a security question first. How you do it depends on what you want to do and whether you are able to use mySQL or need mySQLi.

Sign in to reply to this post

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...