Why is "Forgotten Password" bad?

Question

I came across this statement

Do not use "forgotten password" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.

Can someone clarify why forgotten passwords are a risk? I plan to handle it by sending the user a link in their email to reset the password, but will not provide them with the old password (since it's hashed anyway), and will not ask them for the old password when resetting. Is there something risky about my approach?

Answer 1

Your approach is absolutely right, as long as you don't store the password.

Asking the security question is absolutely bad instead, as it's prone to be bypassed just by guessing an answer.

Just a little edit: although it may be difficult to catch all of them, you should try to disallow the usage of mailinator email accounts (or email addresses from similar services) because mailinator + forgot password = disaster.

Answer 2

If Charlie can read Alices e-mail, he can also gain access to all sites offering "lost password" functionality.

Answer 3

The most annoying technique would be the following: you click forgot password, are asked for you email and get your own password (which many user use for porn and their online banking ;)) back in plaintext instead of setting a new one.

I would just copy the big players methods, like paypal or google. I think they should now what they do. The most common case should be: forgot password - get a link to your email where you can set a new one or generate a random, secure one (which the user will change back to 1234 immediately).

As we are there already: never return something like "wrong password", as this implies that at least the username exists.

Answer 4

Sending the user a link in an email is actually in compliance with the guidance given.

What it advices against is the practice of allowing users to reset their password without having to have any additional knowledge, i.e. something like a button that will reset the password without forcing the user to click the link in their email. I'm not sure I ever saw such a system, but it is certainly a bad idea =).