Secure password reset url with email? [duplicate]

Question

I'm building a php website with a limited number of users at all time (20 max). I've spend quite some time securing it and have done a lot of research on the topic.

I've run into a problem considering a secure password-reset-system. I'd like to use the most convenient way, that is sending an email to the user with an url that contains a token to reset the password. The token is bound to a certain user and is only valid for a certain amount of time. Alas this doesn't seem to be secure as email-traffic can be intercepted. I've been thinking of additional checks on the token, such as ip and browser (http_user_agent), but this too can be bypassed.

I could use a security question or link a code to the token that has to be given by the admin in order to use the token-url (is manageable because of the limited number of users), but I'd rather avoid that.

I've noticed that Facebook, Tumblr and probably many more use the convenient way of sending an email with an url without further security questions or such. Considering that security is one of the top priorities of these companies, how do they manage to make this process secure (I assume it is)? Are there any special security checks that they run? Or is the email-traffic-interception-security-leak a bit over-exaggerated?

Thanks in advance.

Answer 1

I don't know about facebook and twitter (never had to reset my password), but in my experience, there is nothing really secure that can be automatically and conveniently used to secure a password resetting email. There is 2 cases where such an email is used :

1. The user forgot his password.
2. The account has been compromised.

In first case, the email is just there for convenience, an there is not a real need for security. The best would be to put a real short time to use the reset token, or to check with a cookie if you're really paranoid.

In the second case, you have to be sure that the end-user get the email, and not the attacker. So you prevent changing the email after registration, thus linking the account security to these of the email account.

In both case, there is nothing you can really do. Security questions aren't secure at all, unless the user is smart enough to not answer the question but to put another more secure password in it. In the end, it's the same problem than with the resetting email.

The only other method that would be more secure would involve an administrator checking the password-resetting request, as you proposed. It would work if you have a really low user count, but still would be a pain to work on a daily basis.

Answer 2

resetting passwords based on sessions may be considered, as the reset link will be idle for anyone outside the session