What is the most secure way to handle forgotten passwords/password resets? Should I email the password to the user? If so do you then force them to reset it? Or do you let them reset it immediately (without sending an email) and require some other information to verify that it is them? Or is there a better method?
3 Answers
You can't email the password to the user, because you don't know it. You've "hashed" it by applying something like PBKDF2 or bcrypt to it for storage, right?
If you reset the password without confirming it with the owner of the account, an attacker can deny the owner access to his account, at least until he checks his email, by using the victim's email address to request a reset.
A method safe enough for many applications is to email a link to the account owner, containing a large, randomly generated number. This token should only be valid for a limited time. If the owner wishes to reset their password, they click the link and this authenticates them as the account owner. The account owner can then specify a new password.
You shouldn't send passwords via email. Here is a step by step process I've used:
- Give users a reset password option.
- This option saves a unique token for a user. The token eventually expires (hours, day or days).
- A link is emailed to the user which includes the token.
- User clicks on the emailed link.
- If the token exists and isn't expired, the link loads a new password form. If not, don't load the new password form.
- Once the user sets a new password, delete the token and send the user a confirmation email.
Until the new password is set, the old password should remain active. Don't forget to hash and salt the passwords!