How to implement password recovery securely in PHP

How to implement password recovery securely in PHP

How to implement password recovery securely in PHP. This article aims to introduce PHP developers to the thought process of properly implementing security features. We’ve all been novice PHP developers.

Foreword

This article aims to introduce PHP developers to the thought process of properly implementing security features. We’ve all been novice PHP developers at one point in our lives and thought that if there is an md5() in it, then it must be secure.

The primary motivation behind this article is to build upon the efforts of the PHP community to make security best practices more visible amongst a sea of old and insecure advice. When I first wrote this out of frustration in June 2017, 9 out of the top 10 results in a Google search for “password recovery php” were insecure implementations. And, 3+ years later, those same results are still there. That’s the advice we, as a community, are giving to all newcomers to the language. That has to change, so this is my humble attempt at trying to help.

Security advice on the internet (and especially PHP security advice) does not age well. If you are reading this a few years from now, then take it with a grain of salt, though the thought process behind it should still apply.

With that out of the way, let’s get to it.

How (not) to implement a password recovery mechanism in PHP

If you’ve been on the internet for any amount of time, you probably have used the password recovery functionality of some site. Standard practice is to ask the user for their email address (which you asked for when they registered in the site), and send an email to that address with a link. That link contains some particular information that lets the application know which user is the password recovery being done for. It then asks for a new password, and we are all set.

If you are thinking “Why don’t I just email them the password they already have?”, it means you are not hashing them in the first place. Go and do that before you continue reading. No joke. PHP provides a secure way to implement  password hashing and verification, and the defaults are reasonable. Further reading material can be found  here.

You might be thinking “Hey, even I know that you shouldn’t do that!”, but at least a couple of the examples in the top results of that Google search store the password in the database without hashing. So, it would seem that it bears repeating and brings us to our first don’t.

Remember, Do:

1) Generate tokens that don’t depend on the user data and store them in the database.

2) Use random_int or random_bytes for secure random numbers.

3) Set a lifetime for your reset tokens.

4) Discard the reset tokens after use.

php security password-security

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

How To Create Secure Registration Flow with PHP and Password Hashing

Building a secure user registration form with PHP seems like a scary task. How do I protect myself from MySQL injection and other methods of hacking. Surprisingly, with only a few steps and precautions, you can greatly reduce the chance of success for attacks.

How To Set Up Two-Factor Authentication in cPanel

What is 2FA Two-Factor Authentication (or 2FA as it often referred to) is an extra layer of security that is used to provide users an additional level of protection when securing access to an account.

Best Custom Web & Mobile App Development Company

Top Web & Mobile Application Development Company in India & USA. We specialize in Golang, Ruby on Rails, Symfony, Laravel PHP, Python, Angular, Mobile Apps, Blockchain, & Chatbots

Google’s Chrome 86: Critical Payments Bug, Password Checker Among Security Notables

Google is rolling out 35 security fixes, and a new password feature, in Chrome 86 versions for Windows, Mac, Android and iOS users. Google's Chrome 86: Critical Payments Bug, Password Checker Among Security Notables ... Google is rolling out 35 security fixes, and a new password feature, in Chrome 86 versions for Windows, Mac, Android and iOS ...

Hire PHP Developer - Best PHP Web Frameworks for Web Development

Hire our Laravel, CodeIgniter, YII, Zend, Cake PHP, Core PHP developers for your custom web development projects. Choose best PHP Web Frameworks & get satisfactory results.