Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
anton_myaso2015-01-20 16:45:52
PHP
anton_myaso, 2015-01-20 16:45:52

What is the best way to implement automatic password change?

Good afternoon.
There is a self-written CRM running on PHP+MySQL.
In fact, there are several databases within one system:
BD_main
BD_office1
BD_offce2
Each, except for main, has a USERS table with a standard set of fields, such as ID, Name, pass, mail.
There was a need to change the password once a month for the entire database and send it all to Mail.
Another trick is that in the database passwords are in MD5, a letter to the mail, of course, is stupidly text without hashing.
What is the best way to integrate all this? Any sample scripts?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
A
Alexander Bagirov, 2015-01-20
@anton_myaso

Try several options:

  1. Create a "password_expire" column in the database in the users table. When registering, we put the current date + 90 days there (or as long as you need). We also add a "blocked" column and set everything there to false. We are writing a script that pulls from the database all users whose password_expire is equal to the current day, and sets them to true in blocked. We make cron this script so that it runs once a day. After that, we supplement the authorization script so that when entering it, it checks the value of blocked. If it is true, then we throw on the page where we inform about the need to change the password, and require a new password. After a successful change, set blocked to false and password_expire to the current date + 90 days;
  2. Add the password_expire column to users, where we set today + 90 days. Again we write the handler. If password_expire is the current date, then send the user an email with a link to the password change page;
  3. All the same password_expire and blocked, but more humane: just at the beginning of the page we hang a block with a password change notification and do not remove it until the password is changed and, accordingly, blocked becomes false.

Report
A
Armenian Radio, 2015-01-20
@gbg

Everything is very bad. This system is completely insecure. The user should simply be prompted to change the password immediately after logging in with the old password. What you have now is a scam.

Similar questions
S
StayAtHome2015-04-01 12:24:02
How to distinguish a web request from a regular page from a request from the extension itself from a Chrome/Opera extension? 4Reply
P
Pavel2014-05-18 14:34:20
How to set up Chrome DevTools Autosave on windows? 4Reply
O
Ob1van2016-06-24 15:03:47
How to correctly configure suricata ips in af_packet mode ubuntu 16.04 server behind a transparent TOR gateway. Is it possible? 1Reply
S
student_it2015-04-19 11:49:55
How can I prevent the Referer from being sent when playing an audio file via the HTML Audio tag? 2Reply
H
HAtan2020-09-30 15:30:27
How to process a click and record it? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question