tags:

views:

33

answers:

3
+1  Q: 

How much user data should be required to grant a password reset?

I'm looking to add password-reset functionality to my site and have been browsing the numerous threads discussing various aspects of that issue here on SO. One thing I haven't really seen clarified is how much information to require from the user for confirmation before sending out the reset email.

  • is email alone enough?
  • email + account username?
  • email + account username + some other identifying value all accounts must input?

I don't want my site to seem like an old wrinkly nun with a ruler, but I don't want people to be able to abuse the password reset system willy-nilly.

Suggestions?

+3  A: 

I use just an email and send an email to that person with an activation code in a link. That activation code expires within 2 days and once it gets uses it also is invalidated.

This means the person has to have access to that email account in order for it to work, and it can only be used once.

It is not uncommon to use the email + account username, but my email IS what you sign in with, there are no usernames. The decision is up to you.

I think email is enough without it becoming a nuisance.

Kerry  2010-06-10 02:24:06
A: 
  • Email
  • Some other identifying value all accounts must input. Like a security question.
Babiker  2010-06-10 02:25:00
+1  A: 

First concern should be security. How bad would it if another person got a hold of a user's password? If this is unacceptable, I'd say what Babiker said - email and a security question of some sort, preferably something that's never communicated between the site and the user, with the exception of sign-up process or a security settings edit by the user. The assumption here is that the user's email account has been compromised.

If security is not a huge deal, i.e. there are no real privacy/financial/etc risks involved, I think email is enough. To minimize risk for nuisance, you could do what Kerry suggested - i.e. not reset the password automatically, but provide a verification link. Also, you might want to place some restrictions on how frequently the feature can be used by a given user to prevent someone from filling your inbox by repeatedly entering your email.

Lauri Lehtinen  2010-06-10 02:33:23
Good point on the restrictions - I'm thinking blocking additional requests to the same email until after the first token expires, and including the site admin's contact email to allow users to try and explain extenuating circumstances.
Andrew Heath  2010-06-10 05:37:18

related questions

What are some good security questions?
What's a good alternative to security questions?
Protect embedded password
How do you generate passwords?
Should I impose a maximum length on passwords?
How best to generate a random string in Ruby
What is the best way to check the strength of a password?
In a client-server application: How to send to the DB the user's application password?
How does your company manage credentials?
Replacing plain text password for app
How to implement password protection for individual files?
Password generation, best practice
Unique key generation
Generating Random Passwords
Oracle lost sysdba password
How does one decrypt a PDF with an owner password, but no user password?
Storing Windows passwords.
How do I avoid having the database password stored in plaintext in sourcecode?
How do I write Firefox add-on that automatically enters proxy passwords?
How to store passwords in Winforms application?
Two-way password encryption without ssl
Disable browser 'Save Password' functionality
Simple password encryption
Best way to store a database password in a startup script / config file?
Encrypting Passwords