?
Solved

resetting passwords - how to prevent nefarious users guessing the reset url

Posted on 2014-12-04
7
Medium Priority
?
127 Views
Last Modified: 2014-12-09
Hi

Normally when i have a reset passsword function on my website I email the user a link to a page where they can reset theirpassword. I normally make this a random obscure name to stop people guessing the page but is there a safer way for a password reset page? All the solutions i have seen are more insecure than mine such as emailing the user a new plain text password.

Kind regards
0
Comment
Question by:andieje
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 79

Expert Comment

by:arnold
ID: 40481018
Usually, the URL to reset should be the same, the IDentifier for the user and the duration for which this identifier is valid is the way to a provide a more secure password reset.  Requiring the inclusion of the username or some additional identifier could make guesshacks more difficult.
Deals with introducing steps.
The user who attacks would have to have a few examples of the reset URL you provide to try and predict/guess.
0
 
LVL 36

Accepted Solution

by:
Loganathan Natarajan earned 2000 total points
ID: 40481038
You can create unique token key value and can be encrypted sent via url to user. When user click it can be decrypted and verified with db filed. Make sure clean the token with some flag. So it cannot be tried again.
0
 
LVL 36

Expert Comment

by:Kimputer
ID: 40481058
Click Reset Password link. Webserver makes a LONG random reset id, with 24 hours expiry, puts it in the database
Link is always the same, except the email address (or user id) with the reset id string posted. Webserver does a database lookup the data is correct (user id/reset id/expire date), and forward to the real reset page.
Have this page be hammer proof (block of page is requested multiple times with different id's)
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 19

Expert Comment

by:Montoya
ID: 40481178
hmm.. why not try TinyURL? It's super easy to implement, you can generate the URL with code, and your user will only see the TinyURL.

:)
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 40481419
Because TinyURL always goes to the same page.  No security there.  All the password resets that I have seen work like Kimputer describes.  The reset link/code is always sent to the email address of record.
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 40482033
I like Kimputer's solution, and I do it just a little bit differently  It's still basically "security by obscurity" but it's very effective.  To "guess" the way forward would require an attacker to guess the md5() string of information you probably do not know.

1. Client visits the "forgot my password" page
2. Page generates a $var == md5() of (the REMOTE_ADDR and the current timestamp)
3. Page sets a cookie with the var
4. Page form requests the client email address
5. Page responds by emailing to the client a URL that contains a link with the $var in the URL.

When client visits the URL, it checks to see if the cookie $var matches the link $var.  If there is a match...

1. Page changes the client password to a random, unique string.
2. Page gives the client the random unique string and a link to the setPassword page.

On the setPassword page, the client has the opportunity to change the password.

There's some back-and-forth with HTTP requests involved in this design, but that's about it.  If you want more, you have to get into two-factor authentication (but that's a whole separate issue).

The central dependency is the client email address.  If I can get into your email I can change your password.  That's true of most such applications.
0
 

Author Closing Comment

by:andieje
ID: 40489590
thanks a lot
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses four methods for overlaying images in a container on a web page
There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question