Solved

Forgotten password, best practice

Posted on 2007-11-29
5
876 Views
Last Modified: 2008-02-01
Currently the passwords are stored hashed in the database, and when a user clicks on the forgotten password link, a new password is generated and sent by email to the user.  I've seen a number of sites that send a link by email instead, and to reset your password, you have to follow the link and reset it that way.

I'm curious if there is any thought on what the best practice is for this function?
0
Comment
Question by:PaulHews
  • 2
  • 2
5 Comments
 
LVL 7

Assisted Solution

by:Wod
Wod earned 100 total points
ID: 20377186
I would say it is more secure to send a link to have the user choose a new password, specially if your website is encrypted..

0
 
LVL 7

Accepted Solution

by:
Infinite_Recursion earned 400 total points
ID: 20377461
OK, this link is to confirm that it was the owner of the email that needed to reset the password, since anyone can click the forgot password link. Also usually that link includes an identifier, that way you can reach the change password screen without having to login (which you cannot do since you have forgotten the password in the first place). That identifier confirms that you are trying to reach the change password screen through the email, and is checked against a record in the database. To be more secure that link might work only once, so when you click on it, the identifier will be removed from the database, thus trying to use the link again will be invalid since there is no such identifier in the database. It is more logical to store BOTH the email and the identifier in the database and check against.
0
 
LVL 38

Author Comment

by:PaulHews
ID: 20382766
>I would say it is more secure to send a link to have the user choose a new password, specially if your website is encrypted..

How is it more secure, and how much more secure is it?

>Also usually that link includes an identifier, that way you can reach the change password screen without having to login (which you cannot do since you have forgotten the password in the first place).

Right, so for example the identifier could be a random string added to the user table.  Test for it in the querystring and we've identified the user in the reset password page.

>To be more secure that link might work only once, so when you click on it, the identifier will be removed from the database, thus trying to use the link again will be invalid since there is no such identifier in the database.

Should also be time limited I suppose?

>It is more logical to store BOTH the email and the identifier in the database and check against.

Say, have them enter their email and submit, then if the email and identifier in the query string match, their password is reset and presented to them?
0
 
LVL 7

Expert Comment

by:Infinite_Recursion
ID: 20392745
A time limit is a logical security measure that can be added.
It seems you understood my points correctly, yes that is what I meant.
0
 
LVL 38

Author Comment

by:PaulHews
ID: 20395405
Thank you both.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

A quick way to get a menu to work on our website, is using the Menu control and assign it to a web.sitemap using SiteMapDataSource. Example of web.sitemap file: (CODE) Sample code to add to the page menu: (CODE) Running the application, we wi…
Introduction This article shows how to use the open source plupload control to upload multiple images. The images are resized on the client side before uploading and the upload is done in chunks. Background I had to provide a way for user…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now