Password change: Best practice

views:

answers:

+2 Q:

Password change: Best practice

I'm writing Baby's First Web Application. My first task has been to set up an authentication system, which I think I've done okay on. I'm new to the whole thing, though, so:

When the user reports that he's forgotten his password, I e-mail him a temporary replacement password in plain text. It's perhaps not the most secure way to handle the situation, but it's how I do it for now. I do force him to change it at the next login, and the technique I use is to carry a "must-change" field in the database, set to true for users who've been sent the e-mail.

My question: Is a separate database column the best tactic under the circumstances, or is there something better I can do?

+1 A:

A separate column is quite reasonable.

Operating systems typically have a "password expiration timestamp" field which doubles as a "must change at next logon" flag simply by setting the timestamp to 0 (AKA January 1, 1970). Web sites do not usually have password expiration dates, in which case a plain boolean flag suffices.

John Kugelman 2010-08-05 21:53:16

It's good to hear my approach is reasonable. I do try to think these things through, so I'm grateful for the affirmation.

Tony 2010-08-07 04:20:09

I presume you are storing passwords hashed and salted. If not, do so. If so, you could store meta-data in the salt. E.g. the salt is [0-9a-z]{8}, but for temp passwords it is ____[0-9a-z]{4}. (before downvoting, people, read on!) The point in this, is that a separate field might get edited separately from the hash field. Of course that should never happen, but it can happen. (failing queries, moronic sysadmins, people who have discovered phpmyadmin and think they understand the system, etc) Keeping the "state" of the password in the salt, prevents such mayhem: on validation of the password, you will always be able to see that you validated against a temp password, and you will always be able to identify the user who needs to get a "enter new password" prompt.

mvds 2010-08-05 22:10:13

Interesting. I do hash the password, and I'll definitely look into the idea of salting it as well. Thanks.

Tony 2010-08-07 04:21:51

My practice has always been to overload the email validation (where you send an email to the registrant to make sure that the registrant owns the address) to also function as a password reset mechanism. I use certain information about the user (username, id, email, and importantly, the current password hash in DB) to make a hash, which is included in a URL that's emailed to the user, at which point they can set a new password of their choosing.

That being said, the "best practice" vis-a-vis user authentication is 95% of the time to user a library that someone else has written and tested extensively. Just search Google for one that's appropriate for your framework.

Steven Xu 2010-08-05 22:21:08

Aha, e-mail validation! I hadn't considered that, but of course it's a common and sensible practice. Thanks.As for using someone else's library: Certainly that's almost always a good idea. However, I'm at the stage now where I'm still trying to get my mind around all of the issues that are involved. To do that, I function best by writing some crude code myself and polishing it a bit as I go. I may well end up using an external library, though. The authentication wheel has been invented. I doubt I can make it any rounder.

Tony 2010-08-07 04:26:14

ansaurus

tags:

views:

answers:

Password change: Best practice

related questions