What is the most secure way to handle forgotten passwords/password resets? Should I email the password to the user? If so do you then force them to reset it? Or do you let them reset it immediately (without sending an email) and require some other information to verify that it is them? Or is there a better method?
Change your passwordUnder "Security," select Signing in to Google. Choose Password. You might need to sign in again. Enter your new password, then select Change Password.
As opposed to a password change, a password reset doesn't require knowledge of the old password.
To reset your Gmail password, you'll need to select the "Forgot password" option on the login screen. Once you click this option, you'll be asked to provide Google with your recovery phone number or email — a link to reset your password will be sent to you.
You can't email the password to the user, because you don't know it. You've "hashed" it by applying something like PBKDF2 or bcrypt to it for storage, right?
If you reset the password without confirming it with the owner of the account, an attacker can deny the owner access to his account, at least until he checks his email, by using the victim's email address to request a reset.
A method safe enough for many applications is to email a link to the account owner, containing a large, randomly generated number. This token should only be valid for a limited time. If the owner wishes to reset their password, they click the link and this authenticates them as the account owner. The account owner can then specify a new password.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With