How to implement a temporary password logic?

Question

I want to implement a logic similiar to what some of the websites do is they ask for your email address and send you a link on that mail address when you click on that link you are redirect to there home and given a temporary password which expires in a time limit and ask you for setting up your new password.

I am intersted in knowing the logic for generating temporary passwords, how to store them keep them safe and expire them after a period of time. I donot have any language preference. but i can understand java and php examples well. please suggest.

Answer 1

One way would be to generate an MD5 hash of the user info provided to use as the password.

$name = "sushil bharwani";
$email = "[email protected]";
$pass = md5($name . $email);

Which would get you a string such as 1f3870be274f6c49b3e31a0c6728957f. Because the MD5 function will always create the same output from a given input, it's theoretically possible that someone who knew you were registering, what fields were required and what you'd most likely put in them, they could guess the MD5 hash that would be sent to you. This could be alleviated by adding a random number to the input to md5, but unless you work for a covert government agency it's unlikely anyone would care enough to attempt this anyway.

If you wanted to be more secure, you could generate a public/private key pair, storing the public one in your database and sending the private one in the email. The private key cannot be guessed other than by brute-force, so in that respect it would be more secure. But because you're sending it through email, which is completely insecure, it's not likely to be a very big security gain.

Also keep in mind that either method of generating password will be generating something far harder to guess that what the users themselves are going to choose for passwords, so worrying about it too much is probably a waste of energy.

As for the temporary part, just use a timestamp to record when the password was created and use a cronjob to delete any older than x days that haven't been changed.

Answer 2

Well if you're having something where their password is stored, I'm imagining that you're using a database to store it all in.

So what you could do is make a new table that holds just the temp passwords. Then when a user clicks the link to get a temp password, create a random string and then have an expiration time for about an hour from now or so. To do that, just get the time and add an hour onto it. Then save the new temp password, the time it expires, and the user it is for into a row in your table for temp passwords.

Then, when the user goes to use the temp password, check and see if the current time is greater than the expiration time. If it is, then the password is expired and it doesn't work. If not, then it works.

If you want you can periodically run a script that goes through your database and deletes expired passwords, but as long as the have a time thats in the past then it won't work, so it doesn't really matter.

This is just how to store and expire them though. Hope it helps!