In a web application, if the user forgets his password, its fairly common practice to send an email to the user with a temporary link or password that expires after a given amount of time. Most of the posts I read on SO suggested expiring the link after 24 to 72 hours, but it seems to me that it would really only be needed for about 10 minutes. My question is, to improve security is there a good reason to allow such a link to remain active for longer than 10 minutes?
A:
You are assuming too much about your users. It is not uncommon for a user to request a password reset on the spur of the moment, but not check their email for several hours. For instance, they might be at work when they realise they can't log in to the service, but the email goes to their personal inbox, which they don't read till they get home. They will often do the request for a reset on the spot because they don't want to have to remember to request it later.
Marcelo Cantos
2010-07-28 18:13:20
In this case it will most likely go to their business email. Still I don't see why they just couldn't request it again when they get home.
Peter
2010-07-28 18:17:15
The email people use to sign up to services don't necessarily correlate to where they use them. You could make them request it again, but that depends on how much you want to annoy your users. There's also the email delay issue others mentioned, which can often take several minutes or even hours in extreme cases. Although this is likely to be rare, once it happens to someone, there's a good chance all their reset emails will arrive too late, and they will be *really* annoyed.
Marcelo Cantos
2010-07-28 18:25:46
+1
A:
Often times there are several minute delays in sending emails. So ten minutes is cutting it a little too close.
If you are using a decent-sized randomly generated hash in the link, I don't think something like 24 hours is unreasonable. It's unguessable and the only vulnerability would come from the person's email account being hijacked.
advait
2010-07-28 18:13:42
A:
First question is - How critical is security? What the worst that can happen if security is breached? (Will money be lost, or will someone be able to post a message on a forum under someone else name?)
James Curran
2010-07-28 18:14:05
Security is important - on a scale of 1 to 10 its a 7 (10 being a bank and 1 being a forum)
Peter
2010-07-28 18:16:25
A:
24 hours max, in my opinion. I personally always locate the email immediately, but as others have mentioned, there can be unexpected delays. If a user is expecting an immediate response but has to step out before the email arrives, they may not be able to get to it immediately.
I think 12 hours is a good medium. If you make it very short, expect to see users request the reset multiple times within a day or two.
Eclyps19
2010-07-28 18:26:55
A:
Peter, a good way to go about this is having a sensible timeout of 24 hours. This is incase for example the recipient's inbox is hacked 1 week after requesting the password and the intruder has the ability to change the password. 24 hours is sensible.
Paul Dragoonis
2010-07-28 21:33:05