tags:

views:

55

answers:

5
+2  Q: 

What's the best way to implement password recovery from a usability perspective?

I read the other password recovery questions on SO and it seems that most people consider sending a password recovery link that can be used only once and expires after a couple of days to be most secure.

Now my question, (I know it is subjective, but I am looking for input that you may have received from your users)

Is this also decently comfortable for users? and by users I mean your grandmother not you co-worker.

+2  A: 

As a user, I like when I can pick a new password of my choice, then have an activation mail sent to me, providing a clickable link for the new password to take effect.

I do not like when a new one time password is sent to me, having me to log in and edit it in my profile.

Best of all, though, is to have OpenID login, so I don't have to keep any password at all.

Johan  2010-08-03 13:55:48
Apart from your OpenID login password ;) I realise you can check the "Keep me logged in" option but the password is still there.
Lazarus  2010-08-03 13:58:15
@Lazarus My OpenID provider let me authenticate using client certificate, so I don't need a password for my login. That is, however, a bit offtopic. :)
Johan  2010-08-03 14:01:36
you are right about the OpenID but most avg everyday users dont have an OpenID (that they know of) yet.
Sruly  2010-08-03 14:03:25
@Johan, cool :)
Lazarus  2010-08-03 14:08:38
A: 

What is the focus of your site when it comes to access control, usability or security?

If it's usability then perhaps storing passwords in plain text and allowing them to be sent to the registered email address upon request is sufficient and potentially more usable than the more secure alternative.

If security is the answer then trapdoor encoding and password reset is the better option.

Lazarus  2010-08-03 13:57:06
My mom once forgot the password for her webmail account. They provided a form where she was to fill in quite alot of personal details in order to have her password received. She filled in the correct data for herself, and after a manual review, she got a postal letter with her password. At least that was what she taught, til she realized that it was not her account. She had another username. Something must have gone badly wrong in the manual review. :)
Johan  2010-08-03 14:07:20
That's always a risk but the "email my password" approach does at least rely on the stored default email address associated with the user account, so your Mom wouldn't have received the password as she wouldn't have entered another address (postal or email) at which to receive the password.
Lazarus  2010-08-03 14:10:36
A: 

Based on experience, I'd recommend the following:

  1. The user fills in a "forgotten password" form which sends them an email.
  2. The email contains (at least) a password reset link.
  3. If they click on the link they're sent a new randomly generated password. (Mix of upper/lower alpha and numeric minus 0, o, 1, i, etc. for the sake of clarity.)

Whilst this might not be ideal from a pure usability perspective (in an ideal world you wouldn't have to have a password in the first place, let's face it), it does however attempt to ensure that you're carrying out a legitimate password reset.

Alternatively (or indeed in conjunction with the above), you could allow the user to store a simple password reminder text string that's also present in the first outbound email. (If they realise what the password is at this stage they can simply enter it rather than having to perform a reset.) I wouldn't however recommend outputting this on the web site itself, as it's liable to be too strong a clue.

middaparka  2010-08-03 14:01:02
A: 

From a usability perspective? If a login fails three times in a row, assume they have legitimately forgotten their password, let them in anyway and prompt for changing the password.

One of the best systems I've seen for low-security accounts, is to mail a link. No need for the user to remember site URL, username or password. The site doesn't get to know about any weaknesses the user has in managing passwords.

Tom Hawtin - tackline  2010-08-03 14:15:07
+1  A: 

What can be simpler than clicking an activation link and entering a new password?

codymanix  2010-08-03 14:29:28

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security