tags:

views:

61

answers:

3
+2  Q: 

Should password reset pages automatically authenticate users?

Many lost password workflows usually result in a page which is reached by a temporary link emailed to the user. This link then takes them to a page that asks for a new password.

Upon entering the new password should a user be forced to logon manually, or should the password reset page authenticate the user automatically which would reduce the number of steps and thus complexity of the process for the end user?

I often encounter password reset pages that make me reset my password and then login which feels like I'm logging in twice for no good reason.

+2  A: 

I don't know of any significant advantage to forcing the user to re-enter the password that they just entered twice. If someone does, I'd be interested to hear about it.

Steven Sudit  2010-09-11 11:31:06
Not a significant advantage, but forcing a manual login immediately after password reset could help in updating their browser's saved password to the new one. Non-technical users would become confused if they reset their password and when they return next week the saved password no longer works.
Martin  2010-09-11 12:08:28
That's a good point, and one that I hadn't considered. Arguably, there may be other ways to do this, such as by ensuring that the password-setting form looks enough like the password-entry form to trigger the browser's password-saving code.
Steven Sudit  2010-09-11 12:15:14
Plus, it gets them to start associating the look of the login page with their new password immediately rather than after X amount of time, making it easier to remember it.
Fanis  2010-09-16 11:49:56
+3  A: 

I quite like drupal's method: The user gets sent an email with a link in it which will log them on once; upon logging in with it they are given the opportunity to change their password.

Jords  2010-09-11 11:31:14
That's *almost* the right way to go. Better to give them a link that will let them set the password, but will not let them log on.
Steven Sudit  2010-09-11 12:08:09
+1  A: 

You should make it auto login. Don't see why you would make the user login.

If it's because of bot protection, just add a captcha when the user logins using the link.

lesderid  2010-09-11 11:34:44
I don't even see how it would offer bot protection, since the whole point is that the link was only made available to the recipient at that email address.
Steven Sudit  2010-09-11 12:07:33

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security