Hello, good day, I'm new to PHP. I have a complete registration, login, and password recovery form. I am working with XAMPP on localhost.
Everything works fine but when recovering the password by mail, it arrives in the same form as it is stored in the encrypted database.
My registry database is id, Name, Email, Password, User-id, etc. the login is made up of a login.html and in form action="verif-login.php" is found with these values:
$hash = $row['Password'];
(password_verify($_POST['password'], $hash))
How can I create a password change that works with hash by sending the URL that mail arrives. (the shipment is already arranged)
I hope you can give me a hand with this that has driven me crazy for more than a week.
For security reasons you should not decrypt the password. Even if you use MD5 which is very easy to decrypt (If you use MD5 your system is highly vulnerable).
A simple possibility is to send the user to a password recovery link where he must enter his email. In the Back-End you create a random password to be sent to his email with instructions that it is a temporary password that he must change.
Where generatePassword() returns a random key for example something like this:
You take it
$claveEncriptada
, save it in the data table and send$clave
it in clear text to the user's email.You cannot crack a password stored with bcrypt. That is the whole point of using a cryptographic hash function.
All you can do is check if a given password matches ( see code sample ). This method could be applied repeatedly with many candidates, which is called a "brute force attack", and is not feasible for strong passwords.