i want to create password recovery?

Question

2.25/5 (4 votes)

See more:

i work on one portal in that admin creating user account and providing password change facility to user. if user forgot the password so how he can recover /know the password.
i want to provide sms/email facility to user .how can i do it? please help me.

Posted 27-May-11 2:37am

suvaaj

Updated 27-May-11 2:38am

v2

Add a Solution

Comments

R. Giskard Reventlov 27-May-11 8:50am

What have you already tried? What research have you carried out?

Nickos_me 27-May-11 8:57am

I think, you have given too few information.

To create email facity, just create a fowrm with text input and submit button. On button pressed you:
1. Protect string from SQL injection.
2. Create select query "SELECT pass FROM tbl WHERE user='{0}' " (but, maybe, you use NHibernate or your own ORM) ?
3. Create email with System.Net.Mail.MailMessage.
4. Send it!
For sms you can use service like than http://avisosms.ru/solutions/csharp (sorry for russian).

But, it's not good answer. Give me please more informatian and I'll try to help you.

Ankur^\m/ 27-May-11 9:01am

There are so many examples on the web. Search for them.

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Accepted Answer · 2011-05-27T03:03:00

Actual password recovery is not a good idea: it means you have to store the password in a form that you can send it to the user.
A better idea is to reset the password to a random value, and email that to the user. He can then change it to something he will remember when he logs in.
There are some notes on passwords here: Password Storage: How to do it.[^]
And a generic email routine here: Sending an Email in C# with or without attachments: generic routine.[^]

"But we can obfuscate our code and store secret key not in code.
And if user want to recovery (exactly recovery) his password and not to create new why we shouldn't encrypt it?
I really agree with your opinion by in large, but I often see databases with encrypded passwords, not hashed."

"we can obfuscate our code" - oh, that is a good one! "I'll secure my house by hiding the key under the mat, no-one will look there!"
Even if your code is obfuscated, you can still read it. Execute it. Decrypt passwords with it. How many different passwords do you use? Most people (if given a choice) use the same password for everything. Think about it. That means that if your site is vulnerable, then the password to everything is revealed.

"And if user want to recovery (exactly recovery) his password and not to create new why we shouldn't encrypt it?"
Recovery is something I argue against: if the user has lost his password, how do you know it is the user you are talking to when you give it back to him? If it isn't the real user, you have just given out his password and he doesn't know. If you reset his password, and send the new one to the email he originally registered with, then at least there is some margin of security, and the old password no longer works: at least the real user becomes aware that there has been a breach.

"I often see databases with encrypded passwords"
Just because one idiot drives the wrong way up the motorway, does that make it a good idea?
There are too many people out there who do not think before they construct a site, particularly about the security implications. That doesn't mean we should all concatenate our SQL queries, because "lots of other sites are vulnerable to SQL Injection attacks, so we should be too."

Yvan Rodrigues · Accepted Answer · 2011-05-27T03:09:00

1. Do not store the passwords in plaintext. I know you didn't ask about that, but since some of the biggest websites in the world still haven't figured that out, I thought it worth mentioning. You're not storing the passwords in plaintext ARE YOU?

2. Ask yourself, do they really need to RECOVER their password or RESET their password. If recover, you will need to store their passwords using encryption. I STRONGLY DISCOURAGE you to do this. If a hacker discovers your private key or password they have access to all of the passwords. If they are able to download the encrypted passwords they can use common techniques to crack most of the passwords in a short amount of time.

3. If they just need to reset their password, you'll never need to send them their old password. You can store their password as a salted hash[^]. Just send them a new one and force them to change the password at the next login.

4. Sending the password using SMS isn't a bad ideas as long as they have to enter their SMS phone number BEFORE they lose their password. I think you'll find most people don't want to give out their cell number though.

i want to create password recovery?

2 solutions

Solution 1

Solution 2

Add your solution here

Preview 0