tags:

views:

210

answers:

3
+5  Q: 

Secure ways to reset password or to give old password

What is the most secure way to handle forgotten passwords/password resets? Should I email the password to the user? If so do you then force them to reset it? Or do you let them reset it immediately (without sending an email) and require some other information to verify that it is them? Or is there a better method?

A: 

I suppose you are going to do it programmatically? Or is it a question for Server Fault?

One of the ways is to send a link to the user's email account. He/she clicks on the link and is redirected to your secure web form where they reset the password.

Do NOT email the password to the user

Andrei Drynov  2010-03-01 23:27:40
+12  A: 

You can't email the password to the user, because you don't know it. You've "hashed" it by applying something like PBKDF2 or bcrypt to it for storage, right?

If you reset the password without confirming it with the owner of the account, an attacker can deny the owner access to his account, at least until he checks his email, by using the victim's email address to request a reset.

A method safe enough for many applications is to email a link to the account owner, containing a large, randomly generated number. This token should only be valid for a limited time. If the owner wishes to reset their password, they click the link and this authenticates them as the account owner. The account owner can then specify a new password.

erickson  2010-03-01 23:27:48
+3  A: 

You shouldn't send passwords via email. Here is a step by step process I've used:

  1. Give users a reset password option.
  2. This option saves a unique token for a user. The token eventually expires (hours, day or days).
  3. A link is emailed to the user which includes the token.
  4. User clicks on the emailed link.
  5. If the token exists and isn't expired, the link loads a new password form. If not, don't load the new password form.
  6. Once the user sets a new password, delete the token and send the user a confirmation email.

Until the new password is set, the old password should remain active. Don't forget to hash and salt the passwords!

simeonwillbanks  2010-03-01 23:48:01

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security