Best way of retrieving lost password

tags:

web-development

views:

123

answers:

+3 Q:

Best way of retrieving lost password

What is the best method to reset a user password when password is hashed:

Reset a password to a random string and send that string to their registered mail?
Create a unique hash link for resetting password which is valid for an hour and sending that link to mail?
Any other method?

+4 A:

2 is the best method. Never ever mail a password in plain form. Even better, don't keep it in your system this way. Always have it hashed and salted.

Follow-up to comments: Emailing hashes instead of plain passwords may also be insecure but you are pursuing a different goal through this. Many people use the same password for all sites, from Facebook up to online-banking. A particular hash may get compromized, but not the password itself, which is the point.

Developer Art 2009-12-03 22:13:48

One hour is a bit short, though. I've seren mail servers taking several hours to deliver mails (most notably the one our Uni has :/)

Joey 2009-12-03 22:14:56

Sending the hash link in plain form is no more secure, though. You can't help a bit of insecurity when resetting a password, unless you want to make it *really* awkward for the user.

Jan Krüger 2009-12-03 22:15:22

I don't believe he was implying that he would store generated passwords in plain text.

Justin Johnson 2009-12-03 22:15:49

Storing password hashes is a very common practice, as it is safer than storing plain text or encrypted passwords. How do YOU store passwords?

rotard 2009-12-03 22:17:10

+6 A:

Create a unique hash link for resetting password which is valid for an hour and sending that link to mail

This is the method that I prefer. It allows you only to reset the password if and only if the user visits the link. This way, if someone is maliciously trying to reset passwords, the user can simply delete the email and be unaffected (not have to enter a new password).

Also, you should give the reset link some sort of longer expiration date (like 12 to 24 hours).

Justin Johnson 2009-12-03 22:14:34

+1 A:

#2 is preferable to #1 if only because sending a password in plain text via email exposes it unnecessarily.

Other options are:

use password hint questions
use OpenID and punt the entire problem to the user's OpenID provider.

Asaph 2009-12-03 22:14:42

I would not want my password accessible by answering a few questions. The Sarah Palin hacker proved that this is a bad idea.

Nico Burns 2009-12-03 22:16:54

The first other option is a horrible one. At least I tend to forget the questions/answers much more frequently than my passwords and those questions pose a serious security risk. I resorted to just pasting /dev/random into those for sites that would force me to enter a question/answer.

Joey 2009-12-03 22:17:40

@Nico Burns: You misunderstood what password hint questions do. They don't reveal a hashed password. That is, of course, impossible. Instead, they help jog the user's memory about what password they selected. Having said that, password hint questions are admittedly not a great option. I listed it in the answer because the OP seemed to be looking to consider different alternatives.

Asaph 2009-12-03 22:27:01

+1 for OpenID! Why bother at all? Someone smarter than me already solved the problem.

Jörg W Mittag 2009-12-03 22:41:33

It depends on the sensitivity of the information you are protecting...

There is a fine balance between security and usability, and you need to decide where it is, and what assets you are protecting.

What I would normally do (assuming to financial data is involved) is option 2, minus the 1 hour limit.

Oded 2009-12-03 22:16:25

I found a really interesting method on some websites: they are sending you a new password via SMS. This is awesome because the e-mail can be hacked but the phone... I don't think can be easily hacked.

Victor Hurdugaci 2009-12-03 22:52:33

ansaurus

tags:

views:

answers:

Best way of retrieving lost password

related questions