Solved

Forgotten password, best practice

Posted on 2007-11-29
5
880 Views
Last Modified: 2008-02-01
Currently the passwords are stored hashed in the database, and when a user clicks on the forgotten password link, a new password is generated and sent by email to the user.  I've seen a number of sites that send a link by email instead, and to reset your password, you have to follow the link and reset it that way.

I'm curious if there is any thought on what the best practice is for this function?
0
Comment
Question by:PaulHews
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 7

Assisted Solution

by:Wod
Wod earned 100 total points
ID: 20377186
I would say it is more secure to send a link to have the user choose a new password, specially if your website is encrypted..

0
 
LVL 7

Accepted Solution

by:
Infinite_Recursion earned 400 total points
ID: 20377461
OK, this link is to confirm that it was the owner of the email that needed to reset the password, since anyone can click the forgot password link. Also usually that link includes an identifier, that way you can reach the change password screen without having to login (which you cannot do since you have forgotten the password in the first place). That identifier confirms that you are trying to reach the change password screen through the email, and is checked against a record in the database. To be more secure that link might work only once, so when you click on it, the identifier will be removed from the database, thus trying to use the link again will be invalid since there is no such identifier in the database. It is more logical to store BOTH the email and the identifier in the database and check against.
0
 
LVL 38

Author Comment

by:PaulHews
ID: 20382766
>I would say it is more secure to send a link to have the user choose a new password, specially if your website is encrypted..

How is it more secure, and how much more secure is it?

>Also usually that link includes an identifier, that way you can reach the change password screen without having to login (which you cannot do since you have forgotten the password in the first place).

Right, so for example the identifier could be a random string added to the user table.  Test for it in the querystring and we've identified the user in the reset password page.

>To be more secure that link might work only once, so when you click on it, the identifier will be removed from the database, thus trying to use the link again will be invalid since there is no such identifier in the database.

Should also be time limited I suppose?

>It is more logical to store BOTH the email and the identifier in the database and check against.

Say, have them enter their email and submit, then if the email and identifier in the query string match, their password is reset and presented to them?
0
 
LVL 7

Expert Comment

by:Infinite_Recursion
ID: 20392745
A time limit is a logical security measure that can be added.
It seems you understood my points correctly, yes that is what I meant.
0
 
LVL 38

Author Comment

by:PaulHews
ID: 20395405
Thank you both.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have developed many web applications with asp & asp.net and to add and use a dropdownlist was always a very simple task, but with the new asp.net, setting the value is a bit tricky and its not similar to the old traditional method. So in this a…
In an ASP.NET application, I faced some technical problems. In this article, I list them out and show the solutions that I found.  I hope it will be useful. Problem: After closing a pop-up window, the parent page should be refreshed automaticall…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question