| Re: Most secure way to reset a password via email link [message #185173 is a reply to message #185156] |
Thu, 06 March 2014 02:58   |
jnorth.au
Messages: 5
Registered: January 2014
Karma:
|
Junior Member |
|
|
On Wed, 5 Mar 2014 05:02:50 -0800 (PST), jvd_200089(at)yahoo(dot)co(dot)uk wrote:
> When resetting a password:
> 1) Emailing a new password that the user then logs in with and resets is the most simple method for non hashed passwords.
>
> 2) The other way involves sending a link for them to click on that redirects them to the password reset page but unless their email is secure anyone could click that link. What is special about this 2nd way? because thats what how my boss wants it to work because there is not point doing it that way if it isn't more secure than sending them a temporary new password.
>
> Also any source code examples for option 2 would be appreciated.
Another method which you might want to consider is:
Sending an email stating that the next time they login they will need to reset their password.
In the database and the user table have a field that will indicate whether or not the password needs
to be reset.
If a reset is required then redirect them to the change password file.
This way their is no 'confidential' information being sent via email.
HTH
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]