Forgotten password, best practice

Currently the passwords are stored hashed in the database, and when a user clicks on the forgotten password link, a new password is generated and sent by email to the user.  I've seen a number of sites that send a link by email instead, and to reset your password, you have to follow the link and reset it that way.

I'm curious if there is any thought on what the best practice is for this function?
LVL 38
PaulHewsAsked:
Who is Participating?
 
Infinite_RecursionConnect With a Mentor Commented:
OK, this link is to confirm that it was the owner of the email that needed to reset the password, since anyone can click the forgot password link. Also usually that link includes an identifier, that way you can reach the change password screen without having to login (which you cannot do since you have forgotten the password in the first place). That identifier confirms that you are trying to reach the change password screen through the email, and is checked against a record in the database. To be more secure that link might work only once, so when you click on it, the identifier will be removed from the database, thus trying to use the link again will be invalid since there is no such identifier in the database. It is more logical to store BOTH the email and the identifier in the database and check against.
0
 
WodConnect With a Mentor Commented:
I would say it is more secure to send a link to have the user choose a new password, specially if your website is encrypted..

0
 
PaulHewsAuthor Commented:
>I would say it is more secure to send a link to have the user choose a new password, specially if your website is encrypted..

How is it more secure, and how much more secure is it?

>Also usually that link includes an identifier, that way you can reach the change password screen without having to login (which you cannot do since you have forgotten the password in the first place).

Right, so for example the identifier could be a random string added to the user table.  Test for it in the querystring and we've identified the user in the reset password page.

>To be more secure that link might work only once, so when you click on it, the identifier will be removed from the database, thus trying to use the link again will be invalid since there is no such identifier in the database.

Should also be time limited I suppose?

>It is more logical to store BOTH the email and the identifier in the database and check against.

Say, have them enter their email and submit, then if the email and identifier in the query string match, their password is reset and presented to them?
0
 
Infinite_RecursionCommented:
A time limit is a logical security measure that can be added.
It seems you understood my points correctly, yes that is what I meant.
0
 
PaulHewsAuthor Commented:
Thank you both.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.