Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Forgot Password: what is the best method of implementing a forgot password function?

I'm wondering what the best method is for creating a forgot password function on a website. I have seen quite a few out there, here are a few or combination of:

  • passphrase question / answer (1 or more)
  • send email with new password
  • on screen give new password
  • confirmation through email: must click link to get new password
  • page requiring user to enter a new password

What combination or additional steps would you add to a forgot password function? I'm wondering about how they request the new password and how they end up getting it.

I'm operating on the principal that the password cannot be retrieved; a new password must be given/generated.

Edit I like what Cory said about not displaying if the username exists, but I'm wondering what to display instead. I'm thinking half the problem is that the user forgot which email address they used, which displaying some sort of "does not exist" message is useful. Any solutions?

like image 209
Darryl Hein Avatar asked Feb 07 '09 02:02

Darryl Hein


People also ask

What is forgot password functionality?

Most websites that require a user to log in provide a link titled forgot password or another similar phrase feature. This link allows users who have forgotten their password to unlock, retrieve, or reset it, usually by answering account security questions or sending them an e-mail.

How do you make a forgotten password?

In the search box on the taskbar, type create password reset disk, and then choose Create a password reset disk from the list of results. In the Forgotten Password wizard, select Next. Choose your USB flash drive and select Next. Type your current password and select Next.

How do password reset tokens work?

The reset password token is obtained from the password reset link's query params. In summary, if the token's hash matches what was stored in the database, the user's password will be updated with the new password. Otherwise, the user will have to request a new reset token and go through the process again.


1 Answers

  1. I personally would send an email with a link to a short term page that lets them set a new password. Make the page name some kind of UID.
  2. If that does not appeal to you, then sending them a new password and forcing them to change it on first access would do as well.

Option 1 is far easier.

like image 190
Gregor Brandt Avatar answered Oct 02 '22 01:10

Gregor Brandt