seems to work just fine the first time.
If I use the password recovery link a second time, it gives me the "choose a new password" form, but then says "check your email" after I submit it (the password is *not* changed). Using the password recovery link more than once, I would expect to get an "expired link" notice and an option to send a new "forgot password" email.
The "please check your email" and "your password has been reset" messages are dead ends - just the text, no formatting, no menus, no "Home" button, nothing. I assume this is just temporary, and that the messages will show on normal site pages eventually.
The one thing I **do not** like is that my password is emailed to me *in clear text* when I register.
Otherwise, well done :)
Yeah, I meant to remove that emailed password/username thing. Using the password recovery form should always work though. I'll try debugging it some more. Or were you talking about trying to reuse the same emailed link multiple times?
The blank pages with simple text messages is a place holder. Thanks for the help and encouragement everyone. I'll let you know if I find any bugs.
I was talking about reusing the same link.
It didn't work, and that's a good thing - but it did seem confused. :)
UPDATE:: PHP 5.5 will have native password hashing functions that will make this conversation (and all associated confusion) obsolete!
BONUS:: there is a userland compatibility patch that you can use now (w/version 5.3.7+)!!
functions (same names/signatures for native and userland functions):
* password_hash(): Hash the password using the specified algorithm
* @param string $password The password to hash
* @param int $algo The algorithm to use (Defined by PASSWORD_* constants)
* @param array $options The options for the algorithm to use
* @return string|false The hashed password, or false on error.
// example usage:
$hash = password_hash( 'password',PASSWORD_BCRYPT );
// returns "$2y$10$a6o9xrystDhNxm3PAxaS5.GxojspgIrhgb5tFSey7aIHHtzQCWxKK", ready to save in your DB!
* password_verify(): Verify a password against a hash using a timing attack resistant approach
* @param string $password The password to verify
* @param string $hash The hash to verify against
* @return boolean If the password matches the hash
// example usage:
$match = password_verify( 'password',$hash );
// returns TRUE - the password and hash match! Log them in!
// other functions are useful, but less immediately so:
// password_get_info(): Get information about options used to create a hash.
// password_needs_rehash(): Determine if the password hash needs to be rehashed according to the options provided
It was actually easy to install on my shared hosting account. It is a single php file that I can include (or require).
Just one question. How should I set the salt for the PASSWORD_BCRYPT used?
Thanks for the useful tip!
The third param of
password_hash() is an associative array,
$options. You can pass a specific salt to the function like so:
However, if you don't include a salt, one will be generated automatically. It is pretty well-implemented, so I'd recommend allowing the function to generate its own salts. Also, password_hash() returns the same value as crypt(), so you don't need to store the salt separately (because it's included in the hash, password_verify() automatically knows what salt and algo to use).
$hash_with_my_own_salt = password_hash( 'password',PASSWORD_BCRYPT,array( 'salt'=>'someUnique22charString' ) );
Nice, no more need for salts :). I still want to test this out more before updating my current password system, but it still looks promising.
Resurrecting this again…
Here's a good talk on the very subject, with lots of insight on the concepts (not so much on actual code).