Best practice for resetting passwords

We are about to change the encryption method of a web application. We have hundreds of users and we will need to reset all their passwords. I have their name and email address of course.
It would be almost impossible for us to issue passwords individually. So considering we will run a query to set all passwords as 'null', keeping the username, what is the best practice to have them reset the password themselves so they can then login to the application.

The new password they enter will be encrypted with a new function. But my dilemma is how do I have all users reset their passwords ?
Do I provide them with a link ?  how do I know it will be safe and secure that only they reset it, etc.
LVL 1
AleksAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Big MontyWeb Ninja at largeCommented:
assuming your new encryption method you're using is in it's own include file or at least it's own function, you can create a simple ASP page that queries your database and stores all of your users in a recordset, then loop through that recordset, run the encrypt function, and save it back to the database. something like:

sql = "select userID from users"
set rs = conn.Execute( sql )

do while not rs.eof
    userID = rs( 0 )
    pw = myNewEncryptionFunction()
    sql = "update users set password = '" & pw & "' where userID = " & userID
    conn.Execute( sql )
 
    rs.MoveNext
loop

Open in new window


you'll notice i did not use the command object and parameters, this is because we already know the data is good as it's coming from the database.

if there is any chance that myNewEncryptionFunction() will contain a string with a single quote in it, you'll need to double up the single quotes in the sql statement. if you don't understand, let me know and I'll give you an example.

why do you always post questions right when i sit down to work on my side project? :P
AleksAuthor Commented:
I thought I was your side project  :)

I get the idea. Well ... I do have an encrypt function. I am using a certificate and encryption keys. So I could potentially do something like the above.
Question now is how do I give this new password to each user ?

Perhaps send an email with the decrypted random password to their email address on file ?   Not my cup of toe but doable. As soon as they login they are asked to enter a new password. But still ... in theory only they get their password so it could possibly work.
Big MontyWeb Ninja at largeCommented:
ha, nah you just post more interesting stuff than what I'm currently working on :)

you'd have to email each user. assuming you have an email function, make the call to it after you update the database
OWASP: Avoiding Hacker Tricks

Learn to build secure applications from the mindset of the hacker and avoid being exploited.

mankowitzCommented:
So considering we will run a query to set all passwords as 'null',

I don't think you want to do this. If you reset everyone's password at the same time, then each user will know that everyone else's password is now empty and they could conceivably get into any account, just by knowing the username.

The right thing to do is send a link with a random temp password to the registered email for each user. Even though that poses a risk for intercetors of email, that is still a much lower risk than other users knowing that there is a free-for-all with passwords.
AleksAuthor Commented:
How about this. I delete ALL passwords. Simply run a query to set them to 'null'. I already have a mechanism for 'forgot' password. I could simply rename it to 'reset password', then the next page asks for username and email address. Right now it simply sends the current password. I could instead then 'create' the new password with the new encryption and have it sent to their email address in file.
They would use it to then login and they will be asked then to change it again.

How does that sound ?  Possibly better to let them do it themselves as opposed of having to email all of them myself.
AleksAuthor Commented:
I agree with Mankowitz. Plus when they login they will have to reset their password again, so the email password will no longer pose a threat
Big MontyWeb Ninja at largeCommented:
How about this. I delete ALL passwords. Simply run a query to set them to 'null'.

this would cause a huge security hole, as anybody could log in with any account if they new the user name. I would recommend AGAINST this method

if you need to reset the passwords, YOU have to do the work, or you run the risk of problems arising in the future. what if a user doesn't log on until next month? would the be able to? if not, how would the know right off the bat that they had to reset their password, instead of thinking that there was something wrong with the site?
AleksAuthor Commented:
Let me explain the intended process.
Right now my password has an encrypted password. I can actually leave it as such.

If I change the encryption method to use the new method then if they try to login they will fail.

There already is a function to reset their password. I can use the new encryption function to encrypt that password and to login. Once I change the function in the login page they won't be able to login unless the reset their password (which is sent via email)

So even if they know the username they cannot login, and even if they knew the login and password they wont be able to login either. They will only be able to login if they reset their password.

Fortunately my clients are Law Firms and I can let them know that as of X date to login they need to reset their password in order to login, I will match this with our major upgrade. Resetting their password will be the least of their concerns.

I think that should work .. correct ?

Worse case scenario I get a call from that user telling me they can't login and I tell them to reset their password.  Meantime as I said no one can login until they reset it ....

How is that ?
Big MontyWeb Ninja at largeCommented:
as long as it's secure, then notifying them however you want to do it is secondary

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AleksAuthor Commented:
It should be. We already have the mechanism in place to reset passwords. Might as well use it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Applications

From novice to tech pro — start learning today.