| Re: Most secure way to reset a password via email link [message #185187 is a reply to message #185186] |
Fri, 07 March 2014 07:45   |
jnorth.au
Messages: 5
Registered: January 2014
Karma:
|
Junior Member |
|
|
On Thu, 06 Mar 2014 22:55:50 -0700, Chuck Anderson <cycletourist(at)invalid(dot)invalid> wrote:
> jnorth(dot)au(at)example(dot)com wrote:
>> On Thu, 06 Mar 2014 03:32:17 +0000, Ben Bacarisse <ben(dot)usenet(at)bsb(dot)me(dot)uk> wrote:
>>
>>
>>> jnorth(dot)au(at)example(dot)com writes:
>>>
>>>
>>>> On Wed, 5 Mar 2014 05:02:50 -0800 (PST), jvd_200089(at)yahoo(dot)co(dot)uk wrote:
>>>>
>>>>
>>>> > When resetting a password:
>>>> > 1) Emailing a new password that the user then logs in with and resets
>>>> > is the most simple method for non hashed passwords.
>>>> >
>>>> > 2) The other way involves sending a link for them to click on that
>>>> > redirects them to the password reset page but unless their email is
>>>> > secure anyone could click that link. What is special about this 2nd
>>>> > way? because thats what how my boss wants it to work because there is
>>>> > not point doing it that way if it isn't more secure than sending them
>>>> > a temporary new password.
>>>> >
>>>> > Also any source code examples for option 2 would be appreciated.
>>>> >
>>>> Another method which you might want to consider is:
>>>> Sending an email stating that the next time they login they will need
>>>> to reset their password.
>>>>
>>>> In the database and the user table have a field that will indicate
>>>> whether or not the password needs to be reset.
>>>>
>>>> If a reset is required then redirect them to the change password file.
>>>>
>>>> This way their is no 'confidential' information being sent via email.
>>>>
>>> I think the OP is talking about a situation where the user can't log in
>>> any more and has requested a "reset". If the user can't log in,
>>> allowing them to change their password is not a safe option!
>>>
>>
>> I agree but the simple method of using only username/email and password is never going to be secure.
>> While the OP's second method is a bit more secure there are still problems. How do you know, with
>> any certainty that this is the person who is responding the the email?
>>
>> Using email address as a username is not a good idea as these can be easily guessed.
>>
>> To achieve more certainty of the person requesting a password reset would be to set up some
>> challenge questions (which the user set up when first registering). If they pass those then you are
>> probably dealing with the right person.
>>
>
> Isn't "what's your email address?" the equivalent of a challenge question?
Only for the intellectually challenged.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]