Solved

Forgotten password, best practice

Posted on 2007-11-29
5
877 Views
Last Modified: 2008-02-01
Currently the passwords are stored hashed in the database, and when a user clicks on the forgotten password link, a new password is generated and sent by email to the user.  I've seen a number of sites that send a link by email instead, and to reset your password, you have to follow the link and reset it that way.

I'm curious if there is any thought on what the best practice is for this function?
0
Comment
Question by:PaulHews
  • 2
  • 2
5 Comments
 
LVL 7

Assisted Solution

by:Wod
Wod earned 100 total points
ID: 20377186
I would say it is more secure to send a link to have the user choose a new password, specially if your website is encrypted..

0
 
LVL 7

Accepted Solution

by:
Infinite_Recursion earned 400 total points
ID: 20377461
OK, this link is to confirm that it was the owner of the email that needed to reset the password, since anyone can click the forgot password link. Also usually that link includes an identifier, that way you can reach the change password screen without having to login (which you cannot do since you have forgotten the password in the first place). That identifier confirms that you are trying to reach the change password screen through the email, and is checked against a record in the database. To be more secure that link might work only once, so when you click on it, the identifier will be removed from the database, thus trying to use the link again will be invalid since there is no such identifier in the database. It is more logical to store BOTH the email and the identifier in the database and check against.
0
 
LVL 38

Author Comment

by:PaulHews
ID: 20382766
>I would say it is more secure to send a link to have the user choose a new password, specially if your website is encrypted..

How is it more secure, and how much more secure is it?

>Also usually that link includes an identifier, that way you can reach the change password screen without having to login (which you cannot do since you have forgotten the password in the first place).

Right, so for example the identifier could be a random string added to the user table.  Test for it in the querystring and we've identified the user in the reset password page.

>To be more secure that link might work only once, so when you click on it, the identifier will be removed from the database, thus trying to use the link again will be invalid since there is no such identifier in the database.

Should also be time limited I suppose?

>It is more logical to store BOTH the email and the identifier in the database and check against.

Say, have them enter their email and submit, then if the email and identifier in the query string match, their password is reset and presented to them?
0
 
LVL 7

Expert Comment

by:Infinite_Recursion
ID: 20392745
A time limit is a logical security measure that can be added.
It seems you understood my points correctly, yes that is what I meant.
0
 
LVL 38

Author Comment

by:PaulHews
ID: 20395405
Thank you both.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A quick way to get a menu to work on our website, is using the Menu control and assign it to a web.sitemap using SiteMapDataSource. Example of web.sitemap file: (CODE) Sample code to add to the page menu: (CODE) Running the application, we wi…
Problem Hi all,    While many today have fast Internet connection, there are many still who do not, or are connecting through devices with a slower connect, so light web pages and fast load times are still popular.    If your ASP.NET page …
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now