Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Forgotten password, best practice

Posted on 2007-11-29
5
Medium Priority
?
893 Views
Last Modified: 2008-02-01
Currently the passwords are stored hashed in the database, and when a user clicks on the forgotten password link, a new password is generated and sent by email to the user.  I've seen a number of sites that send a link by email instead, and to reset your password, you have to follow the link and reset it that way.

I'm curious if there is any thought on what the best practice is for this function?
0
Comment
Question by:PaulHews
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 7

Assisted Solution

by:Wod
Wod earned 400 total points
ID: 20377186
I would say it is more secure to send a link to have the user choose a new password, specially if your website is encrypted..

0
 
LVL 7

Accepted Solution

by:
Infinite_Recursion earned 1600 total points
ID: 20377461
OK, this link is to confirm that it was the owner of the email that needed to reset the password, since anyone can click the forgot password link. Also usually that link includes an identifier, that way you can reach the change password screen without having to login (which you cannot do since you have forgotten the password in the first place). That identifier confirms that you are trying to reach the change password screen through the email, and is checked against a record in the database. To be more secure that link might work only once, so when you click on it, the identifier will be removed from the database, thus trying to use the link again will be invalid since there is no such identifier in the database. It is more logical to store BOTH the email and the identifier in the database and check against.
0
 
LVL 38

Author Comment

by:PaulHews
ID: 20382766
>I would say it is more secure to send a link to have the user choose a new password, specially if your website is encrypted..

How is it more secure, and how much more secure is it?

>Also usually that link includes an identifier, that way you can reach the change password screen without having to login (which you cannot do since you have forgotten the password in the first place).

Right, so for example the identifier could be a random string added to the user table.  Test for it in the querystring and we've identified the user in the reset password page.

>To be more secure that link might work only once, so when you click on it, the identifier will be removed from the database, thus trying to use the link again will be invalid since there is no such identifier in the database.

Should also be time limited I suppose?

>It is more logical to store BOTH the email and the identifier in the database and check against.

Say, have them enter their email and submit, then if the email and identifier in the query string match, their password is reset and presented to them?
0
 
LVL 7

Expert Comment

by:Infinite_Recursion
ID: 20392745
A time limit is a logical security measure that can be added.
It seems you understood my points correctly, yes that is what I meant.
0
 
LVL 38

Author Comment

by:PaulHews
ID: 20395405
Thank you both.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have developed many web applications with asp & asp.net and to add and use a dropdownlist was always a very simple task, but with the new asp.net, setting the value is a bit tricky and its not similar to the old traditional method. So in this a…
ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question