11
votes

A group in my company is implementing a single-sign-on REST API for our applications. This authentication service has a password reset function. The application sends the username to the reset function. If that username is associated with an email address, then an email is sent to that address with a temporary password.

The other approach seems to be sites which email a secure, temporary link which presents a page for the user to input a new password. This page only exists for a short period of time.

I know that email is not a secure protocol, so people could sniff the traffic and recover either the temporary password or the temporary link.

Are there any significant security reasons to prefer one method over the other? Is there another, more secure way to do this?

4

4 Answers

10
votes

In both cases, the private information (temporary password or reset link) is transmitted over the same medium. From this point of view, there's no difference in security. However, the reset link as a few advantages: You force the user to choose a new password. As soon as he does so, the link is void and cannot be abused. Temporary passwords, on the contrary, tend to be not as temporary as you like. Even if you force the user to choose a new password on the next logon, he is likely to enter the temporary one again.

Additionally, you can log the IP of the one who uses the reset link, so have at least something to hand over to the authorities if necessary.

9
votes

Are there any significant security reasons to prefer one method over the other?

Yes. If you go the temporary password route then anyone can annoy the crap out of a user by constantly hitting the reset link and putting in that user's email address. If you use password reset links the user can just ignore them and delete the emails.

4
votes

There's not really a better way for the general public. If it's an internal app, you could conceivably send encrypted e-mails that users have to decode with PGP, but that'd never fly for external users unless you've got a very high-value, niche product.

If e-mail is out, you'd have to use something like security questions, but they have their own (more significant, in my opinion) issues. Issues include:

  • Guessable. Questions like "favourite colour" are fairly susceptible to guessing common choices like 'red', 'blue', 'green' etc.
  • Findable. Many are things off a Facebook/MySpace/Twitter/Flickr profile or otherwise Googleable.
  • Forgettable. I've selected "favourite vacation spot" and then a year or two later not been able to remember what I'd picked.
  • Hard to parse. If I type "St. Paul" for a city name, but later come back with "Saint Paul", would that be accepted?
0
votes

There are plenty of more secure ways to reset a password. All of them are highly inconvenient to your users and expensive to maintain. Having every user send you a DNA sample and fingerprints and then requiring them to show up in person to be verified should help with your security. I'm surprised your top secret organization is allowing you to get security advice on stackoverflow. All kidding aside, how secure does your application need to be? Will attackers really be resetting your user's passwords and then accessing their email?

XKCD always says it best http://xkcd.com/538/