9
votes

What is the most secure way to handle forgotten passwords/password resets? Should I email the password to the user? If so do you then force them to reset it? Or do you let them reset it immediately (without sending an email) and require some other information to verify that it is them? Or is there a better method?

3
There was a huge discussion on this very topic just recently: stackoverflow.com/questions/2283937/…Greg Hewgill
If your system has the ability to lookup a user's password and email it to him, you've done something very wrong. You should not ever be able to lookup a user's password. You should only be able to hash an incoming password and compare, or change it and send the new password out.Scott

3 Answers

19
votes

You can't email the password to the user, because you don't know it. You've "hashed" it by applying something like PBKDF2 or bcrypt to it for storage, right?

If you reset the password without confirming it with the owner of the account, an attacker can deny the owner access to his account, at least until he checks his email, by using the victim's email address to request a reset.

A method safe enough for many applications is to email a link to the account owner, containing a large, randomly generated number. This token should only be valid for a limited time. If the owner wishes to reset their password, they click the link and this authenticates them as the account owner. The account owner can then specify a new password.

6
votes

You shouldn't send passwords via email. Here is a step by step process I've used:

  1. Give users a reset password option.
  2. This option saves a unique token for a user. The token eventually expires (hours, day or days).
  3. A link is emailed to the user which includes the token.
  4. User clicks on the emailed link.
  5. If the token exists and isn't expired, the link loads a new password form. If not, don't load the new password form.
  6. Once the user sets a new password, delete the token and send the user a confirmation email.

Until the new password is set, the old password should remain active. Don't forget to hash and salt the passwords!

0
votes

I suppose you are going to do it programmatically? Or is it a question for Server Fault?

One of the ways is to send a link to the user's email account. He/she clicks on the link and is redirected to your secure web form where they reset the password.

Do NOT email the password to the user