| Re: Most secure way to reset a password via email link [message #185157 is a reply to message #185156] |
Wed, 05 March 2014 13:49   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 3/5/2014 8:02 AM, jvd_200089(at)yahoo(dot)co(dot)uk wrote:
> When resetting a password:
> 1) Emailing a new password that the user then logs in with and resets is the most simple method for non hashed passwords.
>
> 2) The other way involves sending a link for them to click on that redirects them to the password reset page but unless their email is secure anyone could click that link. What is special about this 2nd way? because thats what how my boss wants it to work because there is not point doing it that way if it isn't more secure than sending them a temporary new password.
>
> Also any source code examples for option 2 would be appreciated.
>
Either choice is only as secure as the email.
Actually doing it will be dependent on your installation. Basically,
you need to create a password reset page; when the user requests a new
password, generate a random string (the longer the better) and store it
somewhere, i.e. in a database. Then email a link with the random string
as a parameter to the url.
When the user clicks on the link and accesses your reset page, get the
parameter from the url and process the request.
--
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]