Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Password reset by emailing temporary passwords

Tags:

security

passwords

forgot-password

login

A group in my company is implementing a single-sign-on REST API for our applications. This authentication service has a password reset function. The application sends the username to the reset function. If that username is associated with an email address, then an email is sent to that address with a temporary password.

The other approach seems to be sites which email a secure, temporary link which presents a page for the user to input a new password. This page only exists for a short period of time.

I know that email is not a secure protocol, so people could sniff the traffic and recover either the temporary password or the temporary link.

Are there any significant security reasons to prefer one method over the other? Is there another, more secure way to do this?

like image 674
gnavi Avatar asked Aug 20 '09 15:08

gnavi

People also ask

How long is a temporary password good for?

The expiration of Temporary Passwords is currently hard coded to 24 hours which is not practical for many global organizations like us - keeping different time zones and global business hours in mind, 24 hours is not enough.

What is a temporary password?

A temporary password may only be used once and you must change it now to access your account. Passwords are case-sensitive and must conform to the password restrictions that display on screen.

How do I stop Gmail from resetting request password?

Click Security Settings in the Security section. Under Allow Password Reset Emails, remove the check box to prevent password reset emails from being sent.

1 Answers

In both cases, the private information (temporary password or reset link) is transmitted over the same medium. From this point of view, there's no difference in security. However, the reset link as a few advantages: You force the user to choose a new password. As soon as he does so, the link is void and cannot be abused. Temporary passwords, on the contrary, tend to be not as temporary as you like. Even if you force the user to choose a new password on the next logon, he is likely to enter the temporary one again.

Additionally, you can log the IP of the one who uses the reset link, so have at least something to hand over to the authorities if necessary.

like image 134
Malte Clasen Avatar answered Oct 07 '22 07:10

Malte Clasen
Sign in to Comment

Related questions

What harm can javascript do?
Is there any danger in loading external, third-party CSS?
One way SSL is one way encryption?
Can a PHP file ever be read externally? [closed]
NoSQL Database for Banking System [closed]
Why should I use session id in cookie instead of storing login and (hashed) password in cookie?
Change Joomla Administrator URL
What is apache autoindex and should I disable it?
Are passwords stored in memory safe?
How to suppress "An application is requesting access to a protected item" popup
Electron 'contextBridge'
<? or <?php --- is there any difference? [duplicate]
Does AccessController.doPrivileged give JavaScript threads the permissions of the signed Applet?
Centralized vs. Distributed version control security
Javascript XSS Prevention
Should I use GET or POST when requesting sensitive data?
How safe is auth !== null? Firebase
Top tips for secure web applications [closed]
Secure MySQL backup cron job – my.cnf is not being read
Removing Unused HTTP Handlers for Better Performance & Security

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!