Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial


3 Answers


TL:DR As Andreas mentions you will be unable to retrieve the password once hashed, A recommended method is to use an existing tried and tested plugin which will handle these security issues for you such as:

If your interested in the actually workflow then::

  • User visits password reset page which asks them for their email
  • the app authenticates the email address and sends them an email containing a one use password reset string.
  • This password reset string is stored in a password_reset column within the database, usually on the users table along with an expiration time (usually set to 2hours after the email is sent)
  • The user receives the email containing a link formatted: www.yourapp.com/password_reset/<random password reset string>/<user_id>
  • Upon visiting this page the application authenticates the user_id and then checks the reset string against that stored along with the expiration time.
  • if they are authenticated the user is presented with a new password form, which will update the users password.

While this allows the user to easily regain access to the account, there are a number of security issues that a developer needs to be aware of:

  • The string needs to be random, and unlikely to be easily replicated - isDangerous can accomplish this
  • By informing a user that an email is not recognised, an attacker can easily generate a list of recognised emails and then attack the login page with a rainbow table of possible passwords until they eventually gain access to the app.

Hope this helps Bob

great comments bob. Need to change my password update method to address the possible security flaws.

Not sure you can actually recover the password as the hashing is a one way process. I have done this sort of thing by sending the user a link and getting them to update the password to something new rather than changing the existing password.

mubarak basuudde
mubarak basuudde
Courses Plus Student 19,320 Points

Oh yes .thank you..well as for PASSWORD RESET and helpful libraries or tips,,