| Re: Most secure way to reset a password via email link [message #185158 is a reply to message #185156] |
Wed, 05 March 2014 14:56   |
Ben Bacarisse
Messages: 82
Registered: November 2013
Karma:
|
Member |
|
|
jvd_200089(at)yahoo(dot)co(dot)uk writes:
> When resetting a password:
> 1) Emailing a new password that the user then logs in with and resets
> is the most simple method for non hashed passwords.
This is reasonable provided the only thing that the user can do is log
in to a "change my password" page, and that makes it very similar in
complexity to the second option. It just makes it a tiny bit more fussy
for the user.
If the emailed password can be used as normal until the user changes it,
then this method is less secure than the second. An interloper will get
full access to the user's account until the users gets round to changing
the password -- often with no sign that anything is wrong.
> 2) The other way involves sending a link for them to click on that
> redirects them to the password reset page but unless their email is
> secure anyone could click that link. What is special about this 2nd
> way? because thats what how my boss wants it to work because there is
> not point doing it that way if it isn't more secure than sending them
> a temporary new password.
In this case, an interloper can do only one thing: reset the password to
something of his or her choosing. They will get access, but the user
will almost certainly know of the compromise very soon. Small comfort
perhaps, but enough that this is the preferred method for most sites.
In short, either you make 1 and 2 virtually the same (in which case 1 is
actually a bit *more* complex) or 2 is slightly safer than 1.
> Also any source code examples for option 2 would be appreciated.
I don't have anything I can show, but I would make one recommendation:
don't store passwords directly -- always hash them internally. That
way, an accidental or malicious release of the database (which just
seems to happen time and time again) won't reveal actual passwords.
Some effort (and you can make it significant effort) would be required
to recover the password from the hash. Also, users often re-use
passwords and you won't placate a user whose been told that their
favourite password is now out in the open by saying that they should not
have used it for more than one site -- no matter how true that is!
--
Ben.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]