| Re: Most secure way to reset a password via email link [message #185174 is a reply to message #185173] |
Thu, 06 March 2014 03:32   |
Ben Bacarisse
Messages: 82
Registered: November 2013
Karma:
|
Member |
|
|
jnorth(dot)au(at)example(dot)com writes:
> On Wed, 5 Mar 2014 05:02:50 -0800 (PST), jvd_200089(at)yahoo(dot)co(dot)uk wrote:
>
>> When resetting a password:
>> 1) Emailing a new password that the user then logs in with and resets
>> is the most simple method for non hashed passwords.
>>
>> 2) The other way involves sending a link for them to click on that
>> redirects them to the password reset page but unless their email is
>> secure anyone could click that link. What is special about this 2nd
>> way? because thats what how my boss wants it to work because there is
>> not point doing it that way if it isn't more secure than sending them
>> a temporary new password.
>>
>> Also any source code examples for option 2 would be appreciated.
>
> Another method which you might want to consider is:
> Sending an email stating that the next time they login they will need
> to reset their password.
>
> In the database and the user table have a field that will indicate
> whether or not the password needs to be reset.
>
> If a reset is required then redirect them to the change password file.
>
> This way their is no 'confidential' information being sent via email.
I think the OP is talking about a situation where the user can't log in
any more and has requested a "reset". If the user can't log in,
allowing them to change their password is not a safe option!
--
Ben.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]