File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JDBC and the fly likes Forgot/Change Password option (JDBC) Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Databases » JDBC
Bookmark "Forgot/Change Password option (JDBC)" Watch "Forgot/Change Password option (JDBC)" New topic
Author

Forgot/Change Password option (JDBC)

abhiavi kumar
Greenhorn

Joined: Mar 13, 2013
Posts: 20
I have a Java application, I want a user to be able to change his password on forgetting it, by providing the right user_id and account_no. (The backend is Oracle)

Here is my idea, the user enters his user_id and his account_no into two text boxes, these entered values should be compared with the columns "USERID" and "ACCOUNTNO" in the 'USERDETAILS' table.

if given values in the text boxes are compared and turn out to be true,

The user moves to another page, with a text box, where the user enters his desired new password..

This new password should replace the old password in the 'PASSWORD' column of table 'LOGINDETAILS' where the given user_id matches the appropriate value in "USER_ID" column, which is also in 'LOGINDETAILS'

Is this too complicated to be answered here? any ideas would be appreciated.
Campbell Ritchie
Sheriff

Joined: Oct 13, 2005
Posts: 39393
    
  28
abhiavi kumar wrote: . . . Is this too complicated to be answered here? . . .
Yes. Let’s try the databases fora.
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 30752
    
156

Your design is fine. I'm not sure what the question is.

One suggestion - it is good practice to store an encrypted version of the password rather than the exact password.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
abhiavi kumar
Greenhorn

Joined: Mar 13, 2013
Posts: 20
Jeanne Boyarsky wrote:Your design is fine. I'm not sure what the question is.

One suggestion - it is good practice to store an encrypted version of the password rather than the exact password.


Maybe I'm not getting my point across properly, but I'll try put it in a much simpler way, since what I'm looking to achieve is quite simple but slightly going over my head.

How do I let a user recover his password if he forgets it for some reason?, the conditions for recovering his password is that he must provide his correct user_id and perhaps another detail like Date of Birth (which is also already stored)?



Here is my idea.

The user clicks on a "Forgot password" link

User is then asked to enter his user id and his Date of Birth.

If the entered user id and DOB are correct, (only if) the user is allowed to enter a new password of his choice

The user's new password replaces the old/forgotten password?


Here is an additonal detail, the column "User Id" and "DOB" are in table A, the same "User Id" is also in table B, with the a "Password" column.

Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 30752
    
156

abhiavi kumar wrote:The user's new password replaces the old/forgotten password?

Yes. You absolutely don't want to be "recovering" the password. Very few sites will email you your password anymore and they are horribly insecure. They are also inviting having the passwords stolen by storing them in plain text. You should only store an encrypted version of the password in the database.

abhiavi kumar wrote:Here is an additonal detail, the column "User Id" and "DOB" are in table A, the same "User Id" is also in table B, with the a "Password" column.

That's ok. You can do a join. Consider what type of site you are working on. User id and date of birth might not be enough. Many people know your data of birth. Originally you were asking for account number which is more secure.

If you are working on a bank or other secure site, you'll need more than this anyway. Like confirmation by emailing a link to change the password.
abhiavi kumar
Greenhorn

Joined: Mar 13, 2013
Posts: 20
I understand your concerns and you raise points that I will have to use someday. The thing is, I'm now working on a small project which isn't going to be used by anyone, so security isn't that much of concern and any theft would be far of any worry. I would like to have a user who forgot his password and wants to recover it, enter his user id and any other credential correctly to have a new textbox where he enters the new password that replaces his old password that is stored in a DB, that's all.

If I can't replace the old password with the new one, I'll only need the user to be shown his old password openly on a browser window, like "Your password is : javaranch" that's all. Just a basic feature I want to add so that people can remember their password, any ideas would be appreciated.

Thanks again.




Winston Gutkowski
Bartender

Joined: Mar 17, 2011
Posts: 8008
    
  22

abhiavi kumar wrote:Maybe I'm not getting my point across properly, but I'll try put it in a much simpler way, since what I'm looking to achieve is quite simple but slightly going over my head.
How do I let a user recover his password if he forgets it for some reason?, the conditions for recovering his password is that he must provide his correct user_id and perhaps another detail like Date of Birth (which is also already stored)?

Jeanne has touched on some of the problems here, but you really need to get back to basics to understand WHY what you're proposing is not safe.

And the basic question here is: What is a password?

It's a mechanism that allows you - as a provider of services - to know that "they" (whoever "they" are) are actually who they claim to be. So, if they've forgotten their password, how do you know?
Simple answer: you don't; hence the "supplementary" questions.

So, you've now established that they are who they say they are, and you want to allow them to "know" their password. How do you propose to do that without letting the rest of the world know as well? (as Jeanne already pointed out, e-mail is notoriously insecure)

Again, simple answer: you don't.

What you can do instead is provide them with a temporary password that is good for one login, and which triggers a mandatory password change.
Some sites allow you to change it back to the original one but many don't (after all, they "forgot" it, no?), so they choose a new one that (hopefully) they won't forget. However, this is still prone to abuse because of the basic insecurity of e-mails, but it's better than nothing; and I don't want to get into a discussion about certificates (unless you really want to know more).

And that is why passwords are usually encrypted using a one-way algorithm (ie, given a password, you can encrypt it consistently, but you can't decrypt it without a LOT of work).

HIH

Winston

Isn't it funny how there's always time and money enough to do it WRONG?
Articles by Winston can be found here
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 30752
    
156

abhiavi kumar wrote:If I can't replace the old password with the new one,

You can replace the old password with the new one. It's just an update statement.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Forgot/Change Password option (JDBC)