tags:

views:

1150

answers:

10
+5  Q: 

Best way for a 'forgot password' implementation?

I'm thinking what are the best method to implement the forgot password. I come out with 2 ideas. One, when user click on forgot password, the user is required to key in the username, email and maybe date of birth or last name. Then a mail with temporary password will be sent to user email account. The user use the temporary password to login and reset the password. Another similarly but the email with a link to let the user reset password. Or anyone can suggest me a best and secure way to implement. I also thinking like if sending the temporary password or link, forced the user to reset the password within 24 hour or else the temporary password or link will not be usable. how to do that?

+3  A: 

If you include an email address with the registration. The "forget password" button sends an email to that email address. It ensures that the information is send to a trusted email.

(Unless the database is hacked, but then nothing is safe).

Gamecat  2009-07-09 09:30:08
+2  A: 

This was discussed on SO previously.

Richie Cotton  2009-07-09 09:34:23
+6  A: 

I'd go with the second approach. In fact, I have. It's like this:

  1. The user enters his username and hits "forgot password". Optionally you can ask for email and look the username up by the email, but this might fail if two users share the same email address.
  2. The system has a table password_change_requests with the columns ID, Time and UserID. The ID is a long random ID (GUID might do). The Time column contains the time when the user pressed the "Forgot Password" button. When the new user presses the button, a record is created in the table.
  3. The system sends an email to the user which contains a link in it. The link also contains the ID in the above mentioned table. The link will be something like this: http://www.mysite.com/forgotpassword.jsp?ID=01234567890ABCDEF. The forgotpassword.jsp page should be able to retrieve the ID parameter. Sorry, I don't know Java, so I can't be more specific.
  4. When the user clicks the link in the email, he is moved to your page. The page retrieves the ID from the URL and checks against the table. If such a record is there and is no more than, say, 24 hours old, the password is changed to a new random password. The record is also deleted, so that it cannot be reused.
  5. Now you have a choice of how you want to display the password to the user. You can either send another email with it, or display it on the screen. Or both, just to be sure. I always like to send important information to the email as well, because that makes it easier for the user not to forget it.
Vilx-  2009-07-09 09:34:59
The link part i dont really understand how to implement, how can a link contain the ID ?
 2009-07-09 09:39:43
The link can contain the ID as part of the query string, for examplehttp://www.example.com/ResetPassword?ID={ID value}
Crippledsmurf  2009-07-09 09:56:41
Added a bit of clarification about the link.
Vilx-  2009-07-09 10:40:22
Can i know how i can get the id from the url?
 2009-07-10 15:15:51
As I said - I don't know Java, so I can't tell you. But this is such a basic thing that any Java tutorial/manual should have it.
Vilx-  2009-07-10 15:22:08
Warning - Step 5 is flawed - never send the password over email.
Odi - Xceed  2010-07-28 14:12:46
So after all that security you turn around and send the real password in plain text to the user. Frankly I tend to delete my account when a site does stuff like that.
Peter  2010-07-28 14:20:43
@Peter - In my defense: it makes little difference anyway. First of all, if you managed to forget your password, you probably don't care about the site much anyway. Secondly, the new password is randomly generated. If you do care about the site, you will change it immediately anyway, because random passwords are difficult to use regularly. If you don't care, then you simply don't care, and it doesn't matter that the password is in plain text in your mailbox.
Vilx-  2010-07-28 17:35:15
But yes, in retrospect, it might be better to simply allow the user to change the password himself at the webpage instead of generating a random one.
Vilx-  2010-07-28 17:35:34
+1  A: 

Just ask for the e-mail address and if that's associated with any user reset the password and send it to the address (you shouldn't be capable to send the original password as it is hashed... it is right?). The temporal password might have an expiration period or could be cancelled if the user enters the right one in the log in form.

With this method the steps needed to reset a password are minimal. The simplest the better

victor hugo  2009-07-09 09:35:32
I can see two downsides with this method: 1) User's can't register multiple accounts with the same email address. 2) Anyone can reset other people's passwords (over and over again).
lemonad  2009-07-09 09:58:53
@lemonad Often the solution to #2 is to send a link saying "Click here to reset", instead of the email saying "Here's your new password". That way, if they didn't hit the "Send reset" button, it doesn't happen.
Margaret  2009-07-09 13:24:29
+2  A: 

It all depends on your site and the level of security that you're trying to achieve but the basic process for a web app goes something like the following:

  1. The user navigates to the 'forgot my password' page and enters their username or email (whichever is unique) to request a password reset.

  2. Optionally at this stage you can confirm the request by asking for additional information such as the answer to a predefined security question or their date of birth etc. This extra level stops users receiving emails they didn't request.

  3. Look up the user's account. Save a temporary password (usually a GUID) and timestamp against the account record. Send an email to the user containing the temporary password.

  4. The user either clicks on the link containing the temporary password and the user's identifier in the email or navigates to the 'forgot my password' page and copy & pastes the temporary password and their identifier. The user enters their new password and confirms it.

  5. Look up the user's record and if the current time is within a specified time limit (e.g. 1 hour) of the timestamp saved in step 2 then hash and save the new password. (Obviously only if the temporary passwords match!). Delete the temporary GUID and timestamp.

The principal here is that the user is emailed a temporary password that let's them change their password. The originally stored password (it should be hashed!) is never changed to a temporary password in case the user remembers it.

The original password will never be displayed to the user as it should be hashed and unknown.

Note this process relies entirely on the security of the user's email account. So it depends on the level of security your wish to achieve. This is usually enough for most sites/apps.

David G  2009-07-09 10:23:24
A: 

As said, it depends on the level of security required, however, if you need a higher level, some novel solutions I have seen include;

  • Displaying half of the temporary password when the user's identity has been confirmed (security question, email address etc.) then the other half being sent to the email account. If the email account has been compromised, it is unlikely that the same person has also managed to perform a man-in-the middle attack. (Seen on UK Goverment Gateway)

  • Confirming identity via email and another medium - for example a code sent via text to a registered mobile. (Seen on eBay / PayPal)

For somewhere in between these two extremes implementing security questions may be the way to go as mentioned by DaveG.

Tom Werner  2009-07-09 10:36:06
+1  A: 

When you are sending any information via email, it won't be secure. There are too many ways someone can get it. It would be child's play for a skilled hacker looking to steal your information.

Refrain from sending any personal information like passwords and income information via email as it can become VERY EMBARRASSING for you and your organization if such information was leaked or stolen. Think about security seriously. It just takes that one incident for all the bricks to fall.

As for password retrieval, thoroughly read Forgot Password Best Practices.

The bottom line is that an application following best practices should allow a user to reset his own password. Personal security questions should be used. The application should not send email, display passwords, nor set any temporary passwords.

jinsungy  2009-07-09 13:12:08
http://stackoverflow.com/questions/1069722/sending-username-and-password-through-email-after-user-registration-in-web-applic/1074507#1074507
jinsungy  2009-07-09 13:12:27
A: 

I would enforce unique email addresses across the accounts.

Then it is a simple matter of sending a link to a temporary page that allows the person to change their password. (allow 24 hours or less)

The user's email account is the weakest link in this scenario.

Harry  2009-07-09 13:19:21
A: 

Never email a password to the user. Even if it is auto-generated. Best approach (recommend and used by SANS and others):

  1. On the forgot password page, ask the email/user id and a NEW password from the user.
  2. Email a link to the stored email for that account with an activation link.
  3. When the user clicks on that link, enable the new password.

If he doesn't click the link within 24 hours or so, disable the link (so that it does not change the password anymore).

Never change the password without the user consent. It means do not email a new password just because someone clicked on the forgot password link and figured out the account name.

Sucuri  2009-07-13 18:42:18
I'm concerned with this technique. Attacker enters your email and a NEW password. Account owner receives the email, misreads something, and clicks on the link. Attacker standing by, trying new password every minute, gains access to the account until account owner realizes what happened and eventually goes to "forgot password" page.
Odi - Xceed  2010-07-28 14:03:48
+1  A: 

I'll go with:

  1. Ask user for email, check email is registered
  2. Generate GUID, and send it to that email
  3. Do not reset password yet
  4. User clicks link, and then have to enter new pass
  5. Reset password only after user is in your site, and have clicked reset button after typing new pass.
  6. Make that GUID expirable within a short time period to make it safer.
andres.santana  2010-09-05 00:30:28

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security