PHP Classes

How to Implement a Good PHP Password Recovery Solution Using Reconstitution to Help the User - Yet Another Hash Package package blog

Recommend this page to a friend!
  All package blogs All package blogs   Yet Another Hash Package Yet Another Hash Package   Blog Yet Another Hash Package package blog   RSS 1.0 feed RSS 2.0 feed   Blog How to Implement a Go...  
  Post a comment Post a comment   See comments See comments (0)   Trackbacks (0)  

Author:

Viewers: 448

Last month viewers: 4

Package: Yet Another Hash Package

Passwords are a common way to authenticate users that need to access to sensitive information. Unfortunately many users forget their passwords and need to use a method to recover their passwords.

Read this article to learn about how to implement the password recovery method using reconstitution in a PHP based application using password hashing to make it more secure.




Loaded Article

In this article you may read about:

Introduction

What is Reconstitution and Why it Can Help Users to Recover their Passwords?

What are the Facts that Lead to a Good Reconstitution Process in Password Recovery?

What Makes This Method Valid for Password Recovery?

How to Make a Basic Automatic Reconstitution System?

Conclusion


Introduction

Nowadays, user authentication is primordial in any Web application that handles sensitive information. One of the basic means of implementing user authentication is the use of a password. A password is just a secret key that allows users to access their personal account and other sensitive data.

Unfortunately, users that choose a strong password that is difficult to guess, often they choose something that they do not take too long to forget.

Many methods exist to help users to recover their account passwords. However most of these methods are not secure enough. Sometimes users may not recover their account because they are not able to prove the account is their own.

We know that sometimes a simple reconstitution process may help policemen to catch people that committed crimes. So if we can start treating those who lost their password as crime suspects, we can make the recover process secure enough and lower the rate of accounts that are lost forever due to the inability to recover the account passwords.

Keep reading this article to learn how to implement a basic reconstitution system to help users recovering their accounts.

What is Reconstitution and Why it Can Help Users to Recover their Passwords?

A reconstitution is a process to recover something that was lost using known facts or pieces of a puzzle. In other words, it is a process to bring back something that existed to its initial state.

In criminology or in the history, agents are sometimes lead to build a new description of the facts of past in order to understand the progress and take some decisions based on what that.

Many sciences like archaeology, physics and many others had indirectly or directly resorted to reconstitution to understand and bring some precision to the chronology of the facts. Reconstitution lead many criminals to prison. So they can also lead in many cases users to recover their accounts.

The question now is: how to create a reconstitution process which follows the rules of this art?

What are the Facts that Lead to a Good Reconstitution Process in Password Recovery?

After further thoughts, all this sum up to three facts:

1. Tell the user that the registration process is very important and that everything he will do will be recorded to use later. Also tell that he must be absolutely alone during registration.

2. Then allow some freedom in your registration form. I will explain this better below as it is very important.

3. Finally choose the best form inputs and use a hash method to securely store those form input values to use as reconstitution information.

Now let me explain each fact.

1. By telling the user exactly what you will do with the registration process, he will carefully choose the information to enter and may even remember each character he will enter besides the password.
 
2. This fact is very important. Many times we use restrictions in registration forms. This may allow any person that knows a little about your users, to find the reconstitution information easily. So by avoiding the usual restrictions you make the guessing process more difficult.

Let me give an example: date input with restriction day/month/year is too easy to guess for anyone who knows a little about the user. But when you simply tell the user enter your birth date without imposing restrictions in the format, he will choose the format he wants. He can choose 24 October 1989 or 1989/10/24 or 24-10-89. This is already more difficult to guess the user birth date in the format the users may enter. This may be a great foundation for a secure reconstitution process.

Using select inputs to let the user birth day, month and year would reduce the freedom of the format of the birth date that the user may enter. In this case the user freedom also makes the validation be more difficult.

Another example could be the user gender or even the sexual orientation. Instead of using a select input, you can use a simple text input. This way,you increase the user freedom and consequently then the safety of reconstitution information.

User may enter for the gender M or man, and for the sexual orientation h or hetero or heterosexual or bi or bisexual, etc.. All this to say that freedom on the input format increases the safety of the information. The information will be used as track that criminals leave behind them.

3. Each programmer must choose what data he finds more relevant to become good reconstitution information. For example he can choose the birth date, the gender, sexual orientation, religion, the email to use as reconstitution information. Never a long description or the password because they can be forgotten.

What Makes This Method Valid for Password Recovery?

In sum, the validity of this method only depends on how you manage the freedom of the input data taken using the registration forms and the information that you keep for reconstitution.

The greater is freedom you allow in the forms and the more you tell the user that he must remember exactly what he wrote in order to be able to recover his password, the more secure will become  the reconstitution process.

How to Make a Basic Automatic Reconstitution System?

Let's now implement a small system based on the Yet Another Hash Package.

First download the package archive or install it using PHP Composer.

Here is basic usage example:

require_once('./Ezama_Hashmore.php');

$x = new \eZama\Hashmore( new Hashids\Hashids() );
$f = $x->secretstr( 'leizmo@gmail.com', 'another string here', 10, $ti);
First we will just create the registration form in HTML like this:

<!doctype html>
<html><head></head><body>
<div>
<form method="POST" Action="<?php echo $_SERVER['PHP_SELF'];?>" >
<label for="pseudo">pseudo</label><input type="text" id="pseudo" name="pseudo" />
<label for="email">email</label><input type="text" id="email" name="email" />
<label for="password"> pass</label><input type="password" id="password" name="password" />
<label for="birthdate"> birth date</label><input type="text" id="birthdate" name="birthdate" />
<input type="submit" value="register"/>
</form>
</div>
</body>
</html>
And the verification part of the code follows below. Here it is just an example without using a database to make it simpler but nothing would stop you to use a database once the concept is clearly implemented.
if(isset($_POST['pseudo']))
{
session_start();
$x=new \eZama\Hashmore( new Hashids\Hashids() );
$_SESSION[ 'hashid' ][ 'hash' ] = $x->secretstr( $_POST['email'], $_POST['pseudo'] . ' ' . $_POST['birthdate'], 3, $ti);
$_SESSION[ 'hashid' ][ 't' ] = $ti;
}

Of course, as said above, you should use database in the final version instead of session variables to store hashes.

You must also use specific filtering code to avoid XSS and SQL injection security attackes while allowing form input freedom.

Keep in mind that you can always ask user to change the information in his account dashboard to match your application requirements.

To help user recover his password, you just need to ask him to do exactly what he did 
in registration form. You must use the same form and the same hash algorithm and then compare the information was filled in both forms.

require_once('./Ezama_Hashmore.php');
if( isset( $_POST['pseudo'] )) {
session_start();
$x=new \eZama\Hashmore( new Hashids\Hashids() ); if( $_SESSION[ 'hashid' ][ 'hash' ] == $x->secretstr( $_POST['email'], $_POST['pseudo'].' '. $_POST['birthdate'], 3, $_SESSION[ 'hashid' ][ 't' ]))
echo 'you are connected as '. $_POST['pseudo'];
else echo 'You stink like some polecat just get out here before we call security';
}

Note that here you must store the $ti array values. Otherwise you will never be able to compute the same hash value, even if user filled the exact information.

After you compare the value and they corresponds then user succeed to reconstitution and then you can let him choose new password. 

Conclusion

There are many solutions to recover passwords from that use email messages, ask to secret questions, or phone number reactivation.

None of them is 100% secure. They cannot avoid that you become a victim of phishing and loose access to your email mailbox, or you forget your secret answer, or you loose your phone number or forget to lock your phone, or an hacker knows your friends and choose the right pictures in the Facebook recovery system based on friends recognition and even trust friends that you can contact to activate your password can become your worst enemies.

The system of identity verification based on ID card, passport and other can also be fooled as people can steal your identity cards and emails

Nothing is totally sure. For this reason we must regularly think about new approaches for improving the security of the password recovery solutions.

This article provided you more ideas that you can apply in your PHP Web applications to improve their security.



You need to be a registered user or login to post a comment

1,611,081 PHP developers registered to the PHP Classes site.
Be One of Us!

Login Immediately with your account on:



Comments:

No comments were submitted yet.



  Post a comment Post a comment   See comments See comments (0)   Trackbacks (0)  
  All package blogs All package blogs   Yet Another Hash Package Yet Another Hash Package   Blog Yet Another Hash Package package blog   RSS 1.0 feed RSS 2.0 feed   Blog How to Implement a Go...