How to implement password recovery securely in PHP. This article aims to introduce PHP developers to the thought process of properly implementing security features. We’ve all been novice PHP developers.
This article aims to introduce PHP developers to the thought process of properly implementing security features. We’ve all been novice PHP developers at one point in our lives and thought that if there is an md5() in it, then it must be secure.
The primary motivation behind this article is to build upon the efforts of the PHP community to make security best practices more visible amongst a sea of old and insecure advice. When I first wrote this out of frustration in June 2017, 9 out of the top 10 results in a Google search for “password recovery php” were insecure implementations. And, 3+ years later, those same results are still there. That’s the advice we, as a community, are giving to all newcomers to the language. That has to change, so this is my humble attempt at trying to help.
Security advice on the internet (and especially PHP security advice) does not age well. If you are reading this a few years from now, then take it with a grain of salt, though the thought process behind it should still apply.
With that out of the way, let’s get to it.
If you’ve been on the internet for any amount of time, you probably have used the password recovery functionality of some site. Standard practice is to ask the user for their email address (which you asked for when they registered in the site), and send an email to that address with a link. That link contains some particular information that lets the application know which user is the password recovery being done for. It then asks for a new password, and we are all set.
If you are thinking “Why don’t I just email them the password they already have?”, it means you are not hashing them in the first place. Go and do that before you continue reading. No joke. PHP provides a secure way to implement password hashing and verification, and the defaults are reasonable. Further reading material can be found here.
You might be thinking “Hey, even I know that you shouldn’t do that!”, but at least a couple of the examples in the top results of that Google search store the password in the database without hashing. So, it would seem that it bears repeating and brings us to our first don’t.
1) Generate tokens that don’t depend on the user data and store them in the database.
2) Use random_int or random_bytes for secure random numbers.
3) Set a lifetime for your reset tokens.
4) Discard the reset tokens after use.
Building a secure user registration form with PHP seems like a scary task. How do I protect myself from MySQL injection and other methods of hacking. Surprisingly, with only a few steps and precautions, you can greatly reduce the chance of success for attacks.
What is 2FA Two-Factor Authentication (or 2FA as it often referred to) is an extra layer of security that is used to provide users an additional level of protection when securing access to an account.
Top Web & Mobile Application Development Company in India & USA. We specialize in Golang, Ruby on Rails, Symfony, Laravel PHP, Python, Angular, Mobile Apps, Blockchain, & Chatbots
Google is rolling out 35 security fixes, and a new password feature, in Chrome 86 versions for Windows, Mac, Android and iOS users. Google's Chrome 86: Critical Payments Bug, Password Checker Among Security Notables ... Google is rolling out 35 security fixes, and a new password feature, in Chrome 86 versions for Windows, Mac, Android and iOS ...
Hire our Laravel, CodeIgniter, YII, Zend, Cake PHP, Core PHP developers for your custom web development projects. Choose best PHP Web Frameworks & get satisfactory results.