Solved

resetting passwords - how to prevent nefarious users guessing the reset url

Posted on 2014-12-04
7
110 Views
Last Modified: 2014-12-09
Hi

Normally when i have a reset passsword function on my website I email the user a link to a page where they can reset theirpassword. I normally make this a random obscure name to stop people guessing the page but is there a safer way for a password reset page? All the solutions i have seen are more insecure than mine such as emailing the user a new plain text password.

Kind regards
0
Comment
Question by:andieje
7 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 40481018
Usually, the URL to reset should be the same, the IDentifier for the user and the duration for which this identifier is valid is the way to a provide a more secure password reset.  Requiring the inclusion of the username or some additional identifier could make guesshacks more difficult.
Deals with introducing steps.
The user who attacks would have to have a few examples of the reset URL you provide to try and predict/guess.
0
 
LVL 36

Accepted Solution

by:
Loganathan Natarajan earned 500 total points
ID: 40481038
You can create unique token key value and can be encrypted sent via url to user. When user click it can be decrypted and verified with db filed. Make sure clean the token with some flag. So it cannot be tried again.
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 40481058
Click Reset Password link. Webserver makes a LONG random reset id, with 24 hours expiry, puts it in the database
Link is always the same, except the email address (or user id) with the reset id string posted. Webserver does a database lookup the data is correct (user id/reset id/expire date), and forward to the real reset page.
Have this page be hammer proof (block of page is requested multiple times with different id's)
0
ScreenConnect 6.0 Free Trial

Explore all the enhancements in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI, app configurations and chat acknowledgement to improve customer engagement!

 
LVL 19

Expert Comment

by:Montoya
ID: 40481178
hmm.. why not try TinyURL? It's super easy to implement, you can generate the URL with code, and your user will only see the TinyURL.

:)
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40481419
Because TinyURL always goes to the same page.  No security there.  All the password resets that I have seen work like Kimputer describes.  The reset link/code is always sent to the email address of record.
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 40482033
I like Kimputer's solution, and I do it just a little bit differently  It's still basically "security by obscurity" but it's very effective.  To "guess" the way forward would require an attacker to guess the md5() string of information you probably do not know.

1. Client visits the "forgot my password" page
2. Page generates a $var == md5() of (the REMOTE_ADDR and the current timestamp)
3. Page sets a cookie with the var
4. Page form requests the client email address
5. Page responds by emailing to the client a URL that contains a link with the $var in the URL.

When client visits the URL, it checks to see if the cookie $var matches the link $var.  If there is a match...

1. Page changes the client password to a random, unique string.
2. Page gives the client the random unique string and a link to the setPassword page.

On the setPassword page, the client has the opportunity to change the password.

There's some back-and-forth with HTTP requests involved in this design, but that's about it.  If you want more, you have to get into two-factor authentication (but that's a whole separate issue).

The central dependency is the client email address.  If I can get into your email I can change your password.  That's true of most such applications.
0
 

Author Closing Comment

by:andieje
ID: 40489590
thanks a lot
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question