I am looking for some guidance on implementing a password recovery service in ASP.NET that emails a link to the user which sends them to a password reset page as I don't want to email existing or regenerated passwords in cleartext.
I have seen some suggestions of using the member id as a querystring parameter however I feel this maybe open to abuse as the custom membership table I am working with uses ints intead of guid's as the id field.
I'm thinking that I need to create a custom table containing a unique (long) id along with the member id which is populated each time a user requests a password recovery. This id will then be passed as part of the querystring in the link to the password reset page.
When a user clicks on the link the page will look up the id in the custom table and get the member id from there allowing the user to change the password against that membership.
Does this seem like a valid approach; is it overkill? Any other suggestions would be greatly appreciated.
views:
452answers:
3Sounds perfectly serviceable. My only recommendation would be to use a computed value instead of a random ID for the email link. Perhaps a hashed version of the person's username? This is purely borne of my disdain for random numbers. :)
That would be how I would handle it. But don't forget to remove the row from the database when you are done and implement some sort of flood control. I know there are tons (literally) of combinations for guids but running a simple IP check vs how many attempts in the last 5 minutes and blocking them after x number of attempts could help increase the security of the reset. This would become more important the larger your userbase is and how often they forget their passwords.
Read this: Best Practices for your "Forgot Password" feature.
It should be pretty clear.