tags:

views:

1105

answers:

7
+9  Q: 

Forgot Password: what is the best method of implementing a forgot password function?

I'm wondering what the best method is for creating a forgot password function on a website. I have seen quite a few out there, here are a few or combination of:

  • passphrase question / answer (1 or more)
  • send email with new password
  • on screen give new password
  • confirmation through email: must click link to get new password
  • page requiring user to enter a new password

What combination or additional steps would you add to a forgot password function? I'm wondering about how they request the new password and how they end up getting it.

I'm operating on the principal that the password cannot be retrieved; a new password must be given/generated.

Edit I like what Cory said about not displaying if the username exists, but I'm wondering what to display instead. I'm thinking half the problem is that the user forgot which email address they used, which displaying some sort of "does not exist" message is useful. Any solutions?

+7  A: 

Send email with new password.

FORCE a password change when they arrive and key in the new password.

This ensures that the person who wanted the password will be the only only getting in to the account.

If the email is sniffed, someone could get in to the account (of course), but the real party will discover this immediately (as their password you just sent them doesn't work).

Also send confirmations of password changes to the users.

If someone get the new password, and then an email saying "thanx for changing the password", they're going to be rather puzzled and will talk to an admin if they didn't do it.

Will Hartung  2009-02-07 02:15:38
+18  A: 
  1. I personally would send an email with a link to a short term page that lets them set a new password. Make the page name some kind of UID.
  2. If that does not appeal to you, then sending them a new password and forcing them to change it on first access would do as well.

Option 1 is far easier.

gbrandt  2009-02-07 02:15:52
Option 1 also has the advantage of not being susceptible to DoS attacks on the user. For example, someone constantly clicks the "reset password" link in option 2, so the user is effectively locked out of their account. You can guard against it, but why bother? Option 1 is the way to go...
William Brendel  2009-02-07 02:30:30
A: 

Option 1. is not a good idea, as generally his becomes easily guessable by others. Sarah Palin's personal email (Yahoo I think) was hacked in this way by a third party.

The other options are better and previous posts have outlined the detail.

Jayden  2009-02-07 02:24:46
How do you "easily guess" long randomly generated strings?
Reinis I.  2010-09-01 06:51:54
My 'Option 1' reference is no longer clear with other posts - it refers to the first option presented by the OP. It referred to a suggestion of using a 'secret question' , that if answered correctly could be quessted such as 'what highschool did you attend?'. Sorry for this becoming unclear.
Jayden  2010-10-13 20:53:55
+1  A: 

Using the email verification/password reset link will give you better security. If you look around this is how most websites do it and people are pretty used to this verification, so I'd recommend using this type of authentication.

Brock Woolf  2009-02-07 02:25:21
+9  A: 

A few important security concerns:

  • A passphrase question / answer actually lowers security since it typically becomes the weakest link in the process. It's often easier to guess someone's answer than it is a password - particularly if questions aren't carefully chosen.
  • Assuming emails operate as the username in your system (which is generally recommended for a variety of reasons), the response to a password reset request shouldn't indicate whether a valid account was found. It should simply state that a password request email has been sent to the address provided. Why? A response indicating that an email does/doesn't exist allows a hacker to harvest a list of user accounts by submitting multiple password requests (typically via an HTTP proxy like burp suite) and noting whether the email is found. To protect from login harvesting you must assure no login/auth related functions provide any indication of when a valid user's email has been entered on a login/pass reset form.

For more background, checkout the Web Application Hackers Handbook. It's an excellent read on creating secure authentication models.

Cory House  2009-02-07 04:44:16
A: 

Does anyone know of any Java frameworks that does this for me? Preferably open source.

 2009-02-19 19:35:06
This should probably be a new question.
Darryl Hein  2009-02-19 22:03:40
A: 

I would think (gbrandt's) Option 2 would be a great method if it is combined with some personal information you already have for the user. i.e date of birth.

When the user requests a new password (reset) via entering his email address, he also has to enter a correct date of birth (or something else) before the password is reset and a new one is emailed to the user.

Only those who know him well can possibly annoy him by resetting his password! It cant be a stranger or a bot

Upon 5 or 7 bad email-address & date of birth combinations the user is emailed that his password has been requested to be reset and has failed due to an incorrect credential. Then password resetting for that account is suspended for 24hrs or any desired period.

(if too many users contact the webadmin regarding this email he'll know someone is trying to maliciously attain information from your website/app)

What do you guys think?

Auero  2010-08-31 18:43:28

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication