views:

211

answers:

7

We need to provide a way to reset password for users who are using our website. The typical way is to send email to the user and ask to click on the link to reset.

The issue is that we don't want to run a mail server just for the purpose of resetting password. Is there other clever way of reseting password without having to mail the user?

EDIT: This is for users who forgot their passwords.

+2  A: 

You can immediately expire their current password and require them to change it next time they login. A couple of password reset systems do this.

EDIT: Since this is for users that forgot their password rather than a forced change, you should just take them directly to the link you would have emailed them anyway when they forgot their password. Make them enter an e-mail address they registered with and some other data you can validate with. Basically, what the other answers said.

SB
This is probably going to be the most elegant solution given the requirements.
David
just a note: that would be not helpful if user forget password, since you need the original password in the first place.
Adam Kiss
@Adam - yes you're right. I'm not really sure what the context of the reset is. If it's a "Forgot your password?" link, then a security question and personal details like other answers is better. But if it's something to force the user to reset the password every X days, this is my suggestion.
SB
This is for people who forgot their passwords
Cory
The only reason password resets are sent to emails rather then directly given as link is due to the extra security that the mail password provides. In this case, anyone who knows the security questions can reset the password.
pinaki
A: 

The usual answer to this would be some form of security question. If you don't have some barrier for the user to cross, you open the system up to allow almost anyone to reset the password.

James Burgess
+1  A: 

You could use standard mail to send new password :-).

Generally you need to verify that user which is trying to reset the password is the one who was originally registered. The easiest way is to send password reset link to email used on registration. Alternatively you can have some kind of security question, which will allow to reset the password, but most people will choose something really lame and you end up with server where it is quite easy to steal identities.

Michal Čihař
Do you know how to run a standard mail server within your web server? :)
Cory
Just use whatever your distribution has as default, eg. `apt-get install exim4`.
Michal Čihař
+3  A: 

You need some way to validate the user's identity to prevent other people resetting the password. Perhaps you could get them to set up some questions (like mother's maiden name, favourite colour) when they sign up. They can only reset their password if they correctly answer the questions.

macleojw
Ah yes, the good old "insecurity questions"... Why not just ask "Do you promise that you really are this user and not an evil hacker? Y/N"
Michael Borgwardt
I agree but "mothers maiden name" is NOT an acceptable security question, nor is their favorite color.
TravisO
What questions would you suggest?
macleojw
Let the user pick the questions and answers. Give them the gun.
SB
+1  A: 

There must be some class that comunicates directly with remote SMTP server (e.g., ISP's SMTP server) by using sockets - just find such class and you won't have to run private SMTP server to send e-mails.

binaryLV
+2  A: 

I had this same issue with a very odd and demanding client. The site was a company intranet, that could be accessed via a VPN for telecommuters. One of the requirements (it was written in bold):

Password re-set mechanism should be convenient and not rely on e-mail. Re-set requests must be granted conveniently and require evidence that the site trusted the visitor prior to the re-set request

What I ended up doing was generating a Manderbolt (100x100) for the user to download as their 're-set' token, along with some secret questions that they would have to answer. To change their password, they would have to answer their questions and upload their fractal (the quadratic plane was defined based on their private information with simple hashing to avoid collisions).

This satisfied a requirement that password re-sets had to be based on what they had as well as what they knew. If they lost the fractal or forgot the answers to their secret questions, they had to appear in person to have the password re-set.

Not exactly bullet proof, but it satisfied the needs at the time. The challenge was making the fractals unique (at least 30 pixels unique), since most users shared a lot of common private data (city, state, area code, etc).

Edit

The fractal (rather, a one way representation of it) was used elsewhere as well. Think RFID + camera.

Tim Post
Also, biometrics were not an option.
Tim Post
Using a fractal certainly has style and might impress users, but a simple nonce would do the same job...
Michael Borgwardt
@Michael - this isn't the only thing we used the fractal for :) Some things are best hidden in plain view.
Tim Post
I like the idea of the fractal that is generated from user data. Quite an interesting application of math. I wonder how often it made something that was actually interesting to look at....
Kris.Mitchell
@Kris.Mitchell - with salt they were interesting but similar, since most employees shared common private data. As I said, its not exactly bullet proof. It did help mitigate RFID snatching and someone who knew a user well and could answer secret questions, at least to the point of the requirements.
Tim Post
+1  A: 

Use OpenID. Then it becomes the problem of an OpenID service provider to recover your users' passwords. And your users will be thankful for they don't need to remember yet another stinky password.

codeholic