tags:

views:

214

answers:

3
+5  Q: 

Best way of doing code for "Forgotten Password"

Hi In my asp.net website, i would like to implement forget password. I am using following steps

  1. Form having input box for login Id and email Id and CAPTCHA
  2. when user enter details and submit, at backend after validation new password is generated and replaced old password at database.
  3. New passowrd is send to user at email.

Please help me whether i am doing right or not?

Is there any other secure mechanism for the same?

[EDIT] Thanks, i got your reply. Really this is a secure mechanism. But here i have few doubt

  1. What message should i shown to user when he enter loginId and email address at forgotten password page?
  2. Whether message would be same for valid user and mallicious user?
  3. Advantage of using CSRF token? Any help / link
  4. When user click on link then what should i do; because as i guess user should automatically loggin into their account -then after that i have 2 choice (first) send new password automatically to user (second) new form will shown to user where user will enetr old password and new password twice?

Please help?

+5  A: 

There are many ways this has been implemented. As you said, generating a new password and sending it to the registered email address is one method. I wouldn't suggest you go that route though, as my password would be reset everytime somebody tried guessing my password.

Instead, the best thing I've seen to date is simply emailing the registered email with a link that will begin a password reset process. You may even let the user know which email address to check by showing a masked version of their email address used in registration:

An email was sent to ********@hotmail.com. Please check your inbox to continue.

Be sure to keep in consideration those of us who may forget which email address were registered with - typically a few security questions are a great way to make that information available.

Jonathan Sampson  2010-01-02 05:16:51
+1 Consider the user registered with [email protected] Any security concerns with saying "we emailed you a link at the email address you used... starts with foo@"... comments on this strategy?
p.campbell  2010-01-02 05:31:33
@pcampbell - +1 I really like this idea, as I sometimes want to know what email I registered with, but I think a better approach is to provide the domain name instead of the email address (@hotmail.com, @yahoo.com, @gmail.com) since I think most people are likely to have the same email address, just at different providers.
Baddie  2010-01-02 05:35:21
I like seeing a masked version of my email address if anything. I've updated my post to reflect this.
Jonathan Sampson  2010-01-02 05:39:26
You means first i need to validate user email and then if validation pass then send password to email.
Hemant Kothiyal  2010-01-02 06:27:26
Hemant, no. I would send the email to whatever email address is on file for that particular username.
Jonathan Sampson  2010-01-02 06:33:59
can't we send new password automatically to user; when he click on the link at email?
Hemant Kothiyal  2010-01-02 06:42:01
Showing the domain name presents a privacy problem since in some cases, the domain name alone can identify a user.
RickNZ  2010-01-02 13:28:30
RickNZ, mask as much as you feel is necessary :)
Jonathan Sampson  2010-01-02 16:16:54
Hemant, you could send a new random password if you like. I would prefer getting to provide my own, but it's entirely up to you.
Jonathan Sampson  2010-01-02 16:17:38
+3  A: 

I've done that recently. When the user enters their username or email address, we generate a unique token and email it to them as part of a link. Upon receipt of that email, they click the link, and are automatically logged in, taken to the my account screen, and prompted to reset their password.

Of course, this relies 100% on the security of the email client, but it's hard to beat from a usability perspective.

gahooa  2010-01-02 05:22:33
This is a great solution, just don't forget to store only a hash of the password and not the password in plain text. You should remove the captcha too, as it is not really necessary because you have to check for the match between the email and the username.
Hubert Perron  2010-01-02 05:37:40
I have few questions?1. What is the advantage of generating unique token.2. If i redirect user to account page where user have to type new password, In this case what will happen if i automatically generate password and send email to user?What is the reason so that we need to generate unique token and show account form to user for change password?
Hemant Kothiyal  2010-01-02 06:24:19
The difference between automatically generating a password and having the (authenticated) user enter a password, is they will remember the one they enter. Additionally, it does not keep the password in the email, ever, in case someone later gains access to saved email later, it will not help them break it.
gahooa  2010-01-02 17:05:06
Ok, tell me one thing that if user click on the link of unique token then Is it good to make user logged in automatically; without asking login credential
Hemant Kothiyal  2010-01-03 05:31:56
@Hemant: yes, you can auto-log them in provided you have the token. You see, the token IS the authentication (deferred), that was obtained through the "Forgot my password" link. It asserts that they have access to their email account.
gahooa  2010-01-03 20:18:46
+5  A: 

I can see why you'd want a CAPTCHA, but I'd take a different approach.

  1. When a password reset is requested check that a reset has not already been requested for that account within the last X minutes. If a password has already been requested ignore the reset request.
  2. Check the IP requesting the password reset. If that IP has requested a password reset in the last Y minutes ignore the request.
  3. If the checks in 1 & 2 pass check the account exists. If it doesn't ignore the request.
  4. If we've gotten this far generate a one time token, which expires in Z minutes and a password reset URL which encompasses this token. Email this to the registered email address. When the URL is loaded prompt for a new password and reset.

For those who believe that you should tell the user where the email has gone I strongly disagree. This is "information leakage", even if you do limit it to the domain name. For example say I've registered on JeffAtwoodEatsBabies.com as blowdart. If Jeff had requested a password reset for me and you showed the registration domain then he'd see idunno.org. This is my personal domain and thus Jeff would know the blowdart user is, in fact, me. This is a bad bad thing. I should not have to register using hotmail or gmail or whatever in order to protect myself from your code showing an email domain to all and sundry.

In addition you shouldn't be showing error messages at all. No matter what happens, a username is not actually registered, or too many requests have been made or the sky has fallen you should be telling the user that the password reset procedure has started. Informing a user that an account doesn't exist is more information leakage.

One final thing you could do is add a CSRF token to the reset request page, so it cannot be driven from other web sites.

Followup

So to answer your further questions.

  1. What message you show is up to you. "Instructions for resetting your password have been emailed to the registered email for this account" is one idea, but really it's down to your audience.
  2. Already addressed above.
  3. Wikipedia is a good starting point. How you do it depends on your platform and is a complete other question! For ASP.NET you could look at my codeplex project, http://anticsrf.codeplex.com or look at ViewStateUserKey.
  4. When the link is clicked I would first validate the token in the URL against the username it's being applied to then I would either allow the user to enter a new password, or generate a new one and email it. You can't prompt for the old one, as the whole point is the user has forgotten it!
blowdart  2010-01-02 05:54:39
what if a genuine user inputs their info but accidentally misspells it? now you've told them that their process has begun and they may not notice their error and go about their business, but never get the email and wonder why your site is broken.
Jason  2010-01-02 06:03:35
Well you have to balance security against hamfisted users. It's only a choice the site admin can make, but generally I recommend that my clients come down on the side of security. Information leaks are on the OWASP Top Ten - they're not something to be taken lightly.
blowdart  2010-01-02 06:08:12
Please help further ? I have edit my post for further query.
Hemant Kothiyal  2010-01-02 06:36:46
Thanks,You had cleared my lot of queries.Is there any link where i can see the demonstration of steps you have written?
Hemant Kothiyal  2010-01-02 10:08:16
Also, can you tell me procedure for validation of token id
Hemant Kothiyal  2010-01-02 10:46:22
No - it's always going to be unique per site, and I don't have one to hand to share.
blowdart  2010-01-02 10:46:36
Well that depends on how you how you generate them. And that is up to *you*. You could, for example, generate a guid, shove it in a database table linked to the membership ID and look it up when it arrives. But really at some point you have to start looking at how *you* are implementing your site and decide what fits with *your* workflow.
blowdart  2010-01-02 11:16:55
Ok, tell me one thing that if user click on the link of unique token then Is it good to make user logged in automatically; without asking login credential
Hemant Kothiyal  2010-01-03 05:32:30
I wouldn't, until the password change is complete. It depends - do I generate a new password, or allow a reset via a form. If the form then yes, I'd login after the new password was entered.
blowdart  2010-01-03 08:00:30
Hey blowdart, i am thinking one point; let say i got your token link and i click link for new password then it will not stop me for new password becase the only validity is token. Isn't
Hemant Kothiyal  2010-01-03 09:14:04
blowdart  2010-01-03 09:43:41

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps