What is a secure and efficient method for website users to reset their password?

Question

Many sites implement different methods and I am having a hard time deciding on which method would work best for my site.

My user profiles contain the following data:

username
password (in hash/digest form)
email

I'd like the password reset method to be secure, user-friendly, and efficient.

Answer 1

You should add two fields, reset_code and reset_expiry

This is the process for a secure password reset functionality.

• User selects "Forgot password".

• User prompted for email/username.

• If valid, generates a GUID, and stores it in reset_code and also stores Now()+24 hours in reset_expiry in the database against that particular user.

• Then it sends an email to the email address with a link to confirm the password reset. This email would contain a link to your website with the user's username AND reset_code embedded. (This stops a malicious user resetting a third parties password just by knowing their email)

• Once the user clicks on the link in the email, they will be directed to your website. Your website will validate that: the username and reset_code matches, and the current time hasn't exceeded the reset_expiry time.

• If all is okay, we can complete the password reset. This can be done by either:
  a) Onscreen a new randomly generated password
  b) A new randomly generated password via email
  c) The ability to enter a password of his/her own choosing