| Re: Most secure way to reset a password via email link [message #185334 is a reply to message #185156] |
Wed, 19 March 2014 16:01  |
Arno Welzel
Messages: 317
Registered: October 2011
Karma:
|
Senior Member |
|
|
Am 05.03.2014 14:02, schrieb jvd_200089(at)yahoo(dot)co(dot)uk:
> When resetting a password:
>
> 1) Emailing a new password that the user then logs in with and resets
> is the most simple method for non hashed passwords.
Even for hashed ones, since it is always possible to generate a password
to send and the hash for it on the server.
> 2) The other way involves sending a link for them to click on that
> redirects them to the password reset page but unless their email is
> secure anyone could click that link. What is special about this 2nd
> way? because thats what how my boss wants it to work because there is
> not point doing it that way if it isn't more secure than sending
> them a temporary new password.
There is no difference between the two ways concerning security.
*Every* e-mail is not secure as long as the transmission is not
encrypted. It doesn't matter if the mail contains a new password or a
link. If the attacker gets access to the mail and also knows the account
associated with, he will get access to the account.
> Also any source code examples for option 2 would be appreciated.
I don't have code - just the way to do it:
Set a flag in the user account that it is "locked" and the user must set
a new password and can not use the old one any longer. Then send an
e-mail with the URL where the user can enter a new password.
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]