| Re: Most secure way to reset a password via email link [message #185186 is a reply to message #185184] |
Fri, 07 March 2014 05:55   |
Chuck Anderson
Messages: 63
Registered: September 2010
Karma:
|
Member |
|
|
jnorth(dot)au(at)example(dot)com wrote:
> On Thu, 06 Mar 2014 03:32:17 +0000, Ben Bacarisse <ben(dot)usenet(at)bsb(dot)me(dot)uk> wrote:
>
>
>> jnorth(dot)au(at)example(dot)com writes:
>>
>>
>>> On Wed, 5 Mar 2014 05:02:50 -0800 (PST), jvd_200089(at)yahoo(dot)co(dot)uk wrote:
>>>
>>>
>>>> When resetting a password:
>>>> 1) Emailing a new password that the user then logs in with and resets
>>>> is the most simple method for non hashed passwords.
>>>>
>>>> 2) The other way involves sending a link for them to click on that
>>>> redirects them to the password reset page but unless their email is
>>>> secure anyone could click that link. What is special about this 2nd
>>>> way? because thats what how my boss wants it to work because there is
>>>> not point doing it that way if it isn't more secure than sending them
>>>> a temporary new password.
>>>>
>>>> Also any source code examples for option 2 would be appreciated.
>>>>
>>> Another method which you might want to consider is:
>>> Sending an email stating that the next time they login they will need
>>> to reset their password.
>>>
>>> In the database and the user table have a field that will indicate
>>> whether or not the password needs to be reset.
>>>
>>> If a reset is required then redirect them to the change password file.
>>>
>>> This way their is no 'confidential' information being sent via email.
>>>
>> I think the OP is talking about a situation where the user can't log in
>> any more and has requested a "reset". If the user can't log in,
>> allowing them to change their password is not a safe option!
>>
>
> I agree but the simple method of using only username/email and password is never going to be secure.
> While the OP's second method is a bit more secure there are still problems. How do you know, with
> any certainty that this is the person who is responding the the email?
>
> Using email address as a username is not a good idea as these can be easily guessed.
>
> To achieve more certainty of the person requesting a password reset would be to set up some
> challenge questions (which the user set up when first registering). If they pass those then you are
> probably dealing with the right person.
>
Isn't "what's your email address?" the equivalent of a challenge question?
--
*****************************
Chuck Anderson • Boulder, CO
http://cycletourist.com
Turn Off, Tune Out, Drop In
*****************************
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]