I'm developing an web application using Django.
Currently I am working on sending "reset password link" thorough email (amazon simple email service - SES)
The mechanism I used, is the same with the answer of "simeonwillbanks" below link
Secure ways to reset password or to give old password
- Give users a reset password option.
- This option saves a unique token for a user. The token eventually expires (hours, day or days).
- A link is emailed to the user which includes the token.
- User clicks on the emailed link.
- If the token exists and isn't expired, the link loads a new password form. If not, don't load the new password form.
- Once the user sets a new password, delete the token and send the user a confirmation email.
What I worry about this, I am not sure this way is safe in terms of security. What if the email is captured by a hacker?
I tested on several major websites how they care this.
- get an "reset password" email and copy the link.
- give the link to other and see if he can change password on my account.
From this test, I figured out that somebody else also can change my password only with the link.
If I cannot do anything on the link, is there way to make email more secure? like as the mechanism of ssl(https) on website?
Thanks!