Home/ Questions/Q 7635117
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T07:21:34+00:00

I’m currently designing a small website and I’d like to implement the forgot your

  • 0

I’m currently designing a small website and I’d like to implement the “forgot your password?” feature. Here is my idea:

forgot your password web page will have this:

Email: (input box)
(button: "Make temp password")

On “Make temp password” button click:

  1. Sanitize email input for SQLi/XSS
  2. Check to see that the email address exists in the database
    • if not, tell user to make new account or check email spelling
  3. Create random password (ie “xh5MvQe”) and put it in database in the user’s temp password field.
    • overwrite if already exists. do not touch the main password. the user will be able to log in with two passwords for the next 48 hours.
  4. Get the current UTC time plus 48 hours and put it in the user’s temp password expiry date field in database. overwrite if already exists.
  5. Send email to user with the temp password

My database has these fields for the user table:

(primary key) user id
name
nickname
(non null, unique) email
(non null) password (encrypted)
temporary password
temporary password expiration

Once the user has the password, they can log in and change their main password.

Question is: is this a secure way to implement this feature? My main concern is sending a plain text password via email. I’ve seen the other way of generating a link with email hashed/timestamp/random id as a GET parameter, but I don’t see how that’s any more secure. Please correct me if I’m wrong.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Read this: The definitive guide to form-based website authentication

    It’s bad to send the users any passwords, because you can’t be sure if his machine/email account is/will be secure. If you generate and send a password, the user might not change it. You can’t avoid to send some kind of identification token for recovery though, so an expiration date is a good idea.

    Never store plain passwords anywhere. Use a salted hash. An attacker getting access to your database is bad enough, but it’s even worse for users who used the same password for other services – and they always do this, silly users.

    So, this is a way to avoid saving plain text passwords on a users machine:

    1. Sanitize email input for SQLi/XSS
    2. Check to see that the email address exists in the database
      • if not, tell user to make new account or check email spelling
    3. Create random recovery login token (ie “xh5MvQe”) and put it’s hash in database in the user’s password recovery hash field.
      • overwrite if already exists. do not touch the main password. The user will be able to
        • log in with his old password, deleting the recovery hash.
        • log in with the recovery token passwords once, in the next 48 hours, which forces the user to choose a new password.
    4. Get the current UTC time plus 48 hours […]
    5. Send email to user with the one-time recovery login token link.
    • 0