Solved

resetting passwords - how to prevent nefarious users guessing the reset url

Posted on 2014-12-04
7
107 Views
Last Modified: 2014-12-09
Hi

Normally when i have a reset passsword function on my website I email the user a link to a page where they can reset theirpassword. I normally make this a random obscure name to stop people guessing the page but is there a safer way for a password reset page? All the solutions i have seen are more insecure than mine such as emailing the user a new plain text password.

Kind regards
0
Comment
Question by:andieje
7 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 40481018
Usually, the URL to reset should be the same, the IDentifier for the user and the duration for which this identifier is valid is the way to a provide a more secure password reset.  Requiring the inclusion of the username or some additional identifier could make guesshacks more difficult.
Deals with introducing steps.
The user who attacks would have to have a few examples of the reset URL you provide to try and predict/guess.
0
 
LVL 36

Accepted Solution

by:
Loganathan Natarajan earned 500 total points
ID: 40481038
You can create unique token key value and can be encrypted sent via url to user. When user click it can be decrypted and verified with db filed. Make sure clean the token with some flag. So it cannot be tried again.
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 40481058
Click Reset Password link. Webserver makes a LONG random reset id, with 24 hours expiry, puts it in the database
Link is always the same, except the email address (or user id) with the reset id string posted. Webserver does a database lookup the data is correct (user id/reset id/expire date), and forward to the real reset page.
Have this page be hammer proof (block of page is requested multiple times with different id's)
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 19

Expert Comment

by:Iammontoya
ID: 40481178
hmm.. why not try TinyURL? It's super easy to implement, you can generate the URL with code, and your user will only see the TinyURL.

:)
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40481419
Because TinyURL always goes to the same page.  No security there.  All the password resets that I have seen work like Kimputer describes.  The reset link/code is always sent to the email address of record.
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 40482033
I like Kimputer's solution, and I do it just a little bit differently  It's still basically "security by obscurity" but it's very effective.  To "guess" the way forward would require an attacker to guess the md5() string of information you probably do not know.

1. Client visits the "forgot my password" page
2. Page generates a $var == md5() of (the REMOTE_ADDR and the current timestamp)
3. Page sets a cookie with the var
4. Page form requests the client email address
5. Page responds by emailing to the client a URL that contains a link with the $var in the URL.

When client visits the URL, it checks to see if the cookie $var matches the link $var.  If there is a match...

1. Page changes the client password to a random, unique string.
2. Page gives the client the random unique string and a link to the setPassword page.

On the setPassword page, the client has the opportunity to change the password.

There's some back-and-forth with HTTP requests involved in this design, but that's about it.  If you want more, you have to get into two-factor authentication (but that's a whole separate issue).

The central dependency is the client email address.  If I can get into your email I can change your password.  That's true of most such applications.
0
 

Author Closing Comment

by:andieje
ID: 40489590
thanks a lot
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now