I've seen various questions regarding this issue, but there are a couple of questions that haven't been asked. If the user forgets their password, I would like them to be able to reset it with only their email address (i.e. there's no security question/answer). The password is stored as a salted hash, so there's no recovery possible. Instead, I'd just like the user to enter a new password after confirming that they have requested a reset.
A common method that's been mentioned is to simply:
1) Create a random Guid/Cryptographically strong random number
2) Send a unique URL containing the random number to the user's email address
3) When confirmed, the user is asked to change password
However, isn't this open to a MITM
attack? If sending a temporary passwords over the internet to an email is insecure, what's the difference between doing that and simply sending a unique URL which the attacker can navigate to?
Have I missed a key step somewhere that will make this system more secure (Or is there a better way of resetting the password)?
Thanks
If you construct your hash correctly, the url click will have to come from the IP address that requested the reset. This would require the MITM to spoof the IP and/or falsify headers. While this is possible, the more unique you can identify the hash to the system in question, the more difficult it becomes to "end-around" the hash.
It is also recommended that the guid be a one-way hash of certain criteria. It is also possible to encrypt system data in the request using a public key that a private key unlocks so that when the url is clicked, this same public encrypted system data must accompany the hash, and the only system that could unencrypt these values would be the private key held at the server. Basically a psuedo-PKI attachment to the hash.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With