Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Best practice on generating reset password tokens

Tags:

guid

passwords

reset-password

Any best practice on how a reset password token should be constructed? I'm thinking:

random 17 characters [a-zA-Z0-9] + a globally unique id + random 17 characters [a-zA-Z0-9].

Is there a better solution, or an industry standard on reset password tokens?

like image 351
Justin Avatar asked Nov 16 '13 01:11

Justin

People also ask

How do password reset tokens work?

The reset password token is obtained from the password reset link's query params. In summary, if the token's hash matches what was stored in the database, the user's password will be updated with the new password. Otherwise, the user will have to request a new reset token and go through the process again.

Should password reset tokens be hashed?

Yes, I would recommend you to hash you reset tokens and just then store them in the database. Also after using them, deleting the record would also be a good practice. You can use a AesCryptoServiceProvider or some other cryptographic provider to do the job. There are many code samples on how to use them.

How long should a password reset token last?

By default, password reset tokens expire after one hour. You may change this via the password reset expire option in your config/auth. php file. The default expire is 60 minutes.

What is a reset token?

If a user loses access to their account for some reason, such as if they forget their password or let it expire, then they must have their password reset by an administrator to regain access to it.

1 Answers

There are some important points to consider.

  1. The code should be really random (read from MCRYPT_DEV_URANDOM), and should not be derrived from other user related information.
  2. Ideally the code is base62 encoded (A-Z a-z 0-9) to avoid problems with the Url.
  3. Store only a hash of the token in the database, otherwise an attacker with read access to the database can reset any account.

This leads to the problem that you have to find the hash of the token in the database, after the user clicked the link. There are two possible ways to store the token:

  • You hash the token with a hash algorithm like SHA512 without a salt. This is secure if the token is very strong (minimum length 20 with 0-9 a-z A-Z). Theoretically you have to check whether such a hash already exists before you enter it in the database, in practise this is negligible. I implemented a password-reset class that can handle such tokens.
  • You hash the token with BCrypt and salt. This allows for shorter tokens, but you cannot search for the hashed token in the database. Instead you have to include a row-id in the link to find the token.
like image 172
martinstoeckli Avatar answered Oct 23 '22 18:10

martinstoeckli
Sign in to Comment

Related questions

What's the recommended hashing algorithm to use for stored passwords?
Why encrypt user passwords? [duplicate]
Simple password encryption
php password_hash and password_verify issues no match
Password strength check in PHP [closed]
Firebase Reset Password Swift [closed]
What's a good alternative to security questions? [closed]
Where does Internet Explorer store saved passwords? [closed]
How do you avoid storing passwords in version control?
Password Encryption , storing password in session
Is it possible to mark a property shown in a property grid as a password field
Is it possible to attack a user password with known salt
How to enable password ssh authentication for Vagrant VM?
"Please confirm which user you are changing the password for"
Check when password was last changed
How to hide passwords in Jenkins console output?
"ORA-28001: the password has expired" not fixable
Show/hide password onClick of button using Javascript only
How to create login in ionic 2 with show/hide password
autocomplete=new-password and making them confirm it via entering the password again

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!