“Forgot My Password” Retrieval PHP Programs

If you have ever forgotten your password to a website, you probably appreciate the systems that retrieve them for you. The PHP systems that handle these situations may send an email with your password to the address in your account. Other PHP systems may create a new password, or create an access key that is only valid for a short duration. Secondary account access options may let you use a question-answer system or similar method to get into your account. Whichever method the PHP system employs, the goal is the same; to supply account access and allow a password update.

The simplest PHP system to provide a lost password is to email it to the user. The requirements are very basic. The user must supply the correct user name andemail address for the account. If both pieces of data match, the PHP server will generate an email to the user containing the password. For websites that display the email address and the user name for any given website account, this can lead to abuse and annoyance to the user. It would be beneficial to utilize a graphic blocker and track user information such as IP Addresses and repeat hits. Preventing overuse of the password retrieval system can really help to prevent abuse.

A more sophisticated method is to generate an Access Key and email it to the user. The Access Key must be decrypted by the PHP server and supply a secondary login route for the user. Once the user can access the account, the password can be updated. The Access Key should be tracked by the PHP server so it cannot be used more than once, must be used within a prescribed period of time, and can only access a single account. Some form of two-way encryption should be employed with random salting/seeding so as to be unpredictable and decipherable.

Using Question-Answer retrieval systems can be more complicated than necessary and can often lead to problems. This method is more often used for telephone support, so the operator or service rep can gain additional confidence that the user is associated with the account in question. Whether the questions be data types or related to real life, or  answers benumbers or real life facts, the goal is the same and the issues or the programmer are similar.

Some PHP websites use one-way encrypted passwords to help protect account information. One-way encryption allows the real password to become encrypted without the real possibility of anyone decrypting it effectively. In a situation where one-way encrypted passwords are stored in a file system, they can be stolen and still be of little use. Since the password is encrypted and likely not decryptable, the thief would not be able to use the passwords. Of course, if the thief can steal th passwords, it is likely the thief can steal the entire file system. One-way encrypted passwords play a minor role in protecting file systems compared to healthy Network Security. In order to validate a user password against a one-way password encryption system, the user’s password entry must be encrypted using the exact same method as the password in the file system was originally encrypted. The two post-encrypted passwords are then compared and if true, they are the same. If the user’s password is incorrect, or if the method of encryption is not identical to the original, the comparison will fail.

Whichever PHP system is used to retrieve a password for a user, there are important decisions to make. The PHP system must be easy for anyone to use. The method of validation must limit access and retrieval to the true account owner. Malicious use and hack attempts must be prevented and effectively disabled. Additional PHP systems should be considered such as Graphic Blockers. A balance between preventing abuse and providing easy access can be a tricky one, but the result is happier users who put less stress on your customer support services.

Leave a Reply