David Jeffries

This is a lesson on the basics of security.  This is an example for both web developers, and also people who have the same password for many different accounts.  Now my password habits aren't all that great, I have two main passwords: one really secure (for bank account, email, etc) and one not so secure (various accounts at different websites), and I have 5 or 6 different passwords I just randomly use sometimes.  The problem is, I sometimes forget which passwords I use with what account, so I often have to use the "forgot your password?" feature of a website.  Pretty much everyone has used this type of form at least once.

You should never be sent your password

So the idea behind a website's "forgot your password" feature is that via your email, you will have an opportunity to regain access to your account.  There are typically two ways this happens: either you are sent your password in plain text, or you are sent a special link (one just for you!) that takes you to a page that allows you to reset your password.

Obviously having a password sent to you in plain text is not the greatest way to get a reminder of your password.  It's not bad just because it comes via a relatively insecure medium (email), but instead it's bad because the website knows your password.  Any service you use should not be able to send you your password because they should not know what it is.  If they know what it is, then anyone who has or gains access to their data (malicious employees, hackers), knows what it is as well.  How many times do you use the same username/email/password for accounts at different places?

But if they don't know the password - how do I authenticate?

All passwords should be encrypted, and the hash stored as the password.  This way, if data is ever compromised, all they have is a useless password because it is impossible to reverse the encryption.

If you're looking to implement encrypted passwords in your web applications, you should store md5(password) in the database.  To authenticate, you would do something like:

if(md5($_POST['password']) == $md5pass)

and if the two resulting hashes match, the password is ok.

Going even further in security

If you want to go the next step, when storing the password in the database - you should add salt.  Typically a couple of characters from the username added to the password and then encrypted does the trick.

This prevents someone with a list of all the hashes, (say someone with access to your database), from encrypting every word in a dictionary and comparing the resulting hashes.  If the hash has been salted, the result of username:david password:test (which could be, for example, md5(datest)), an attacker would not find any matches from a simple dictionary rainbow table.

So basically - if you recieve a link to reset your password, your password is likely encrypted.  If you recieve you password via email in plain text - your password is not encrypted, and your account is likely facing a security risk (email the offending company and complain!).