| Re: Most secure way to reset a password via email link [message #185184 is a reply to message #185174] |
Fri, 07 March 2014 01:41   |
jnorth.au
Messages: 5
Registered: January 2014
Karma:
|
Junior Member |
|
|
On Thu, 06 Mar 2014 03:32:17 +0000, Ben Bacarisse <ben(dot)usenet(at)bsb(dot)me(dot)uk> wrote:
> jnorth(dot)au(at)example(dot)com writes:
>
>> On Wed, 5 Mar 2014 05:02:50 -0800 (PST), jvd_200089(at)yahoo(dot)co(dot)uk wrote:
>>
>>> When resetting a password:
>>> 1) Emailing a new password that the user then logs in with and resets
>>> is the most simple method for non hashed passwords.
>>>
>>> 2) The other way involves sending a link for them to click on that
>>> redirects them to the password reset page but unless their email is
>>> secure anyone could click that link. What is special about this 2nd
>>> way? because thats what how my boss wants it to work because there is
>>> not point doing it that way if it isn't more secure than sending them
>>> a temporary new password.
>>>
>>> Also any source code examples for option 2 would be appreciated.
>>
>> Another method which you might want to consider is:
>> Sending an email stating that the next time they login they will need
>> to reset their password.
>>
>> In the database and the user table have a field that will indicate
>> whether or not the password needs to be reset.
>>
>> If a reset is required then redirect them to the change password file.
>>
>> This way their is no 'confidential' information being sent via email.
>
> I think the OP is talking about a situation where the user can't log in
> any more and has requested a "reset". If the user can't log in,
> allowing them to change their password is not a safe option!
I agree but the simple method of using only username/email and password is never going to be secure.
While the OP's second method is a bit more secure there are still problems. How do you know, with
any certainty that this is the person who is responding the the email?
Using email address as a username is not a good idea as these can be easily guessed.
To achieve more certainty of the person requesting a password reset would be to set up some
challenge questions (which the user set up when first registering). If they pass those then you are
probably dealing with the right person.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]