Best practice for resetting passwords
We are about to change the encryption method of a web application. We have hundreds of users and we will need to reset all their passwords. I have their name and email address of course.
It would be almost impossible for us to issue passwords individually. So considering we will run a query to set all passwords as 'null', keeping the username, what is the best practice to have them reset the password themselves so they can then login to the application.
The new password they enter will be encrypted with a new function. But my dilemma is how do I have all users reset their passwords ?
Do I provide them with a link ? how do I know it will be safe and secure that only they reset it, etc.
It would be almost impossible for us to issue passwords individually. So considering we will run a query to set all passwords as 'null', keeping the username, what is the best practice to have them reset the password themselves so they can then login to the application.
The new password they enter will be encrypted with a new function. But my dilemma is how do I have all users reset their passwords ?
Do I provide them with a link ? how do I know it will be safe and secure that only they reset it, etc.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
How about this. I delete ALL passwords. Simply run a query to set them to 'null'. I already have a mechanism for 'forgot' password. I could simply rename it to 'reset password', then the next page asks for username and email address. Right now it simply sends the current password. I could instead then 'create' the new password with the new encryption and have it sent to their email address in file.
They would use it to then login and they will be asked then to change it again.
How does that sound ? Possibly better to let them do it themselves as opposed of having to email all of them myself.
They would use it to then login and they will be asked then to change it again.
How does that sound ? Possibly better to let them do it themselves as opposed of having to email all of them myself.
ASKER
I agree with Mankowitz. Plus when they login they will have to reset their password again, so the email password will no longer pose a threat
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Let me explain the intended process.
Right now my password has an encrypted password. I can actually leave it as such.
If I change the encryption method to use the new method then if they try to login they will fail.
There already is a function to reset their password. I can use the new encryption function to encrypt that password and to login. Once I change the function in the login page they won't be able to login unless the reset their password (which is sent via email)
So even if they know the username they cannot login, and even if they knew the login and password they wont be able to login either. They will only be able to login if they reset their password.
Fortunately my clients are Law Firms and I can let them know that as of X date to login they need to reset their password in order to login, I will match this with our major upgrade. Resetting their password will be the least of their concerns.
I think that should work .. correct ?
Worse case scenario I get a call from that user telling me they can't login and I tell them to reset their password. Meantime as I said no one can login until they reset it ....
How is that ?
Right now my password has an encrypted password. I can actually leave it as such.
If I change the encryption method to use the new method then if they try to login they will fail.
There already is a function to reset their password. I can use the new encryption function to encrypt that password and to login. Once I change the function in the login page they won't be able to login unless the reset their password (which is sent via email)
So even if they know the username they cannot login, and even if they knew the login and password they wont be able to login either. They will only be able to login if they reset their password.
Fortunately my clients are Law Firms and I can let them know that as of X date to login they need to reset their password in order to login, I will match this with our major upgrade. Resetting their password will be the least of their concerns.
I think that should work .. correct ?
Worse case scenario I get a call from that user telling me they can't login and I tell them to reset their password. Meantime as I said no one can login until they reset it ....
How is that ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It should be. We already have the mechanism in place to reset passwords. Might as well use it.
ASKER
I get the idea. Well ... I do have an encrypt function. I am using a certificate and encryption keys. So I could potentially do something like the above.
Question now is how do I give this new password to each user ?
Perhaps send an email with the decrypted random password to their email address on file ? Not my cup of toe but doable. As soon as they login they are asked to enter a new password. But still ... in theory only they get their password so it could possibly work.