Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Implement password recovery best practice

I want to to implement password recovery in my web application.

I'd like to avoid using secret questions.

I could just send the password by e-mail but I think it would be risky.

Maybe I could generate a new temporary random password and send it by e-mail but I think it is as risky as the above point.

Can I send a url by e-mail for example http://example.com/token=xxxx where xxxx is a random token associated with the user. So when the user navigates to that url he/she can reset the password.

like image 743
Enrique Avatar asked Apr 29 '10 02:04

Enrique


People also ask

How do you assist a customer with a password reset?

So if your customer says, “I can't log in!” ask them how they accessed the sign-in page. If they are in the right place, send them a reset link. Send them the correct sign-in link if they're in the wrong place. Verify their email address to make sure they receive the password reset email.

How long should a password reset token be?

Brute force attacks To prevent this, we must ensure that tokens are generated using a secure random source, and that they are long enough (we recommend >= 64 characters).


2 Answers

When I was in the Air Force the security rule we had was: When setting or resetting passwords, do not send the user id and the password in the same email. That way, if someone is intercepting emails snooping for passwords, he has to successfully intercept BOTH emails, and be able to connect them, to breach security.

I've seen a lot of sites that use the "go to this URL to reset your password". Maybe I'm missing something -- I don't claim to be a security expert -- but I don't see how that is any more secure than just inventing a new, temporary password and sending it. If a hacker intercepts the email, why can't he go to that link and see the new password as well as the legitimate user could? It looks to me like extra hassle for the user with no security gain.

By the way, congratulations on NOT using security questions. The logic of this device escapes me. Since the dawn of computer security we have been telling people, "DON'T make a password that is information about yourself that a hacker could discover or guess, like the name of your high school, or your favorite color. A hacker might be able to look up the name of your high school, or even if they don't know you or know anything about you, if you still live near where you went to school they might get it by tryinging local schools until they hit it. There are a small number of likely favorite colors so a hacker could guess that. Etc. Instead, a password should be a meaningless combination of letters, digits, and punctuation." But now we also tell them, "But! If you have a difficult time remembering that meaningless combination of letters, digits, and punctuation, no problem! Take some information about yourself that you can easily remember -- like the name of your high school, or your favorite color -- and you can use that as the answer to a 'security question', that is, as an alternative password."

Indeed, security questions make it even easier for the hacker than if you just chose a bad password to begin with. At least if you just used a piece of personal information for your password, a hacker wouldn't necessarily know what piece of personal information you used. Did you use the name of your dog? Your birth date? Your favorite ice cream flavor? He'd have to try all of them. But with security questions, we tell the hacker exactly what piece of personal information you used as a password!

Instead of using security questions, why don't we just say, "In case you forget your password, it is displayed on the bottom of the screen. If you're trying to hack in to someone else's account, you are absolutely forbidden from scrolling down." It would be only slightly less secure.

Lest you wonder, when sites ask me for the city where I was born or the manufacturer of my first car, I do not give an actual answer tot he question. I give a meaningless password.

</rant>

like image 101
Jay Avatar answered Sep 18 '22 21:09

Jay


First off, do not store a plain-text copy of the user's password, or even an encrypted version. You want to only ever keep a hashed copy of the user's password.

As for recover solutions, I find that the recovery link to change the user's password is the best solution in my experience. It will probably be a bit more convenient for the user, while being largely the same from a security point of view as sending a new random password to be changed after next login. I'd still recommend having the recovery url expire after a reasonable short period of time, as well as only being usable a single time.

like image 22
Kitsune Avatar answered Sep 18 '22 21:09

Kitsune