Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Secure ways to reset password or to give old password

What is the most secure way to handle forgotten passwords/password resets? Should I email the password to the user? If so do you then force them to reset it? Or do you let them reset it immediately (without sending an email) and require some other information to verify that it is them? Or is there a better method?

like image 213
Josh Curren Avatar asked Mar 01 '10 23:03

Josh Curren


People also ask

How can I reset my security password?

Change your passwordUnder "Security," select Signing in to Google. Choose Password. You might need to sign in again. Enter your new password, then select Change Password.

Is resetting a password the same as changing it?

As opposed to a password change, a password reset doesn't require knowledge of the old password.

How can I change my Google password without old password?

To reset your Gmail password, you'll need to select the "Forgot password" option on the login screen. Once you click this option, you'll be asked to provide Google with your recovery phone number or email — a link to reset your password will be sent to you.


1 Answers

You can't email the password to the user, because you don't know it. You've "hashed" it by applying something like PBKDF2 or bcrypt to it for storage, right?

If you reset the password without confirming it with the owner of the account, an attacker can deny the owner access to his account, at least until he checks his email, by using the victim's email address to request a reset.

A method safe enough for many applications is to email a link to the account owner, containing a large, randomly generated number. This token should only be valid for a limited time. If the owner wishes to reset their password, they click the link and this authenticates them as the account owner. The account owner can then specify a new password.

like image 108
erickson Avatar answered Nov 30 '22 07:11

erickson