FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Most secure way to reset a password via email link
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Most secure way to reset a password via email link [message #185184 is a reply to message #185174] Fri, 07 March 2014 01:41 Go to previous messageGo to previous message
jnorth.au is currently offline  jnorth.au
Messages: 5
Registered: January 2014
Karma:
Junior Member
On Thu, 06 Mar 2014 03:32:17 +0000, Ben Bacarisse <ben(dot)usenet(at)bsb(dot)me(dot)uk> wrote:

> jnorth(dot)au(at)example(dot)com writes:
>
>> On Wed, 5 Mar 2014 05:02:50 -0800 (PST), jvd_200089(at)yahoo(dot)co(dot)uk wrote:
>>
>>> When resetting a password:
>>> 1) Emailing a new password that the user then logs in with and resets
>>> is the most simple method for non hashed passwords.
>>>
>>> 2) The other way involves sending a link for them to click on that
>>> redirects them to the password reset page but unless their email is
>>> secure anyone could click that link. What is special about this 2nd
>>> way? because thats what how my boss wants it to work because there is
>>> not point doing it that way if it isn't more secure than sending them
>>> a temporary new password.
>>>
>>> Also any source code examples for option 2 would be appreciated.
>>
>> Another method which you might want to consider is:
>> Sending an email stating that the next time they login they will need
>> to reset their password.
>>
>> In the database and the user table have a field that will indicate
>> whether or not the password needs to be reset.
>>
>> If a reset is required then redirect them to the change password file.
>>
>> This way their is no 'confidential' information being sent via email.
>
> I think the OP is talking about a situation where the user can't log in
> any more and has requested a "reset". If the user can't log in,
> allowing them to change their password is not a safe option!

I agree but the simple method of using only username/email and password is never going to be secure.
While the OP's second method is a bit more secure there are still problems. How do you know, with
any certainty that this is the person who is responding the the email?

Using email address as a username is not a good idea as these can be easily guessed.

To achieve more certainty of the person requesting a password reset would be to set up some
challenge questions (which the user set up when first registering). If they pass those then you are
probably dealing with the right person.
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: simple link won't show
Next Topic: Need help accessing the key array.
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Wed Nov 27 09:23:28 GMT 2024

Total time taken to generate the page: 0.04428 seconds