-1

The process works like this.

  1. If login fails 5x they are required to reset the password and are sent to the password reset page.
  2. User enters email address
  3. Link is sent to the email address provided. Token, email and time is recorded.
  4. Back at the site, if token is valid, db is checked to find if email addr is actual member.
  5. If they are a member then password reset continues, otherwise they are at a dead end.

But after getting this writen I am wondering if I should check if the email address is associated with an actual member account or not BEFORE sending the email.

So that is my question should I be verifying both before and after or is just after they return to the site sufficient? Implications?

user3154948
  • 137
  • 2
  • 11
  • 1
    usually you just have a "forget password" that'll send a new tmp password-token to the mail configured on the profile – Blag Nov 12 '15 at 23:02
  • 1
    You should definitely check to see if an account is associated with the email before firing one off, otherwise your form could essentially be used to spam someone. Wether or not you indicate to the end-user if the email is associated with an account is up to you, though. You can either go the "If an account is associated with this email, you will receive an email..." vs "This email address is not associated with any account... " – Samsquanch Nov 12 '15 at 23:02
  • 2
    Before sending the mail. Nobody likes to get mail from sites they have never heard of – PeeHaa Nov 12 '15 at 23:02
  • @RokoC.Buljan Ok, I see what you are saying... Rethinking this a bit. – user3154948 Nov 12 '15 at 23:20

2 Answers2

2
  • User submits multiple times incorrect Login Data...

Don't make assumptions

You should not make assumptions if the password was wrong or was it actually the username - neither should you notify the user about the exact error (for security reasons. Don't.).

Let the user figure that out:

Username or Password are incorrect.
Need help?
I forgot my username I forgot my password

  • If one of the above is clicked (popup this:)

Your email: _________________ Send me a [password/username] reset link

  • Check in the DB if the submitted email actually exists!
    (Don't even think about sending Reset links to emails that are not in your registry!)
  • Email exists? Create an Reset Record in DB for that account and send the reset link to your user's email.
  • Email does not exist? Who cares! For security reasons you should display the same success message! (You don't want malicious users to play guessing games? Up to you.)

You should shortly receive an email with a Reset Link to [theEnteredEmail].
Didn't get any Reset Email? Resend

(Optional) Don't lock the account at this point. Keep it accessible. If you have an Active Reset Record you might want to erase it if the user successfully accesses it's profile with the "old" data. The user might be tired or just a bit senile, he might remember his account data in a bit - and might not desire to reset anything, and might want to ignore the Reset-Link email.

Failed password attempts

Grace-time Lock/secure the account only if you notice a high volume of consecutive failed attempts. Create a DB Log of that specific case.
If the username exists in your DB, but the passwords were incorrect → send a discrete notification to the corresponding User Profile Email with all the data you gathered from the log

Hi [user], the [day/time] we registered [n] failed Login attempts to your account:
[logFile]
(n severity=high) We secured/locked your account. Please follow this link to unlock your profile. [unlockProfileLink]
(n severity=low) To make your account more secure use a strong password (Here you can suggest a rest password link)

User is really senile,

opens his email and follows the Reset Link:

  • Check if the Referring Reset-Link still valid for that account.
  • Valid? Create a temporary session

(You should be able to recognize the user account from the Referring URL link that associates to that the account's "opened" expiring Reset Record token)

Hi [user]
Your new [username/password]: _____________
Repeat [username/password]:     _____________ UPDATE [username/password]

  • On submit check if temporary session or Token are not expired and both fields match.

  • If the referrer matches the temporary Reset Record (token) associated to the account - change the password/or/username.

  • Success? User must still properly login from the Login page!

Your [username/password] is now updated. You'll receive shortly a confirmation email.

Login:
Username: _________
Password:  _________ LOGIN

  • Success? Authenticate Login session
  • Fail? Repeat from above :)
Roko C. Buljan
  • 196,159
  • 39
  • 305
  • 313
  • Yep, this is definitely a better scenio!!!! – user3154948 Nov 12 '15 at 23:30
  • I do have one question though, why have them enter an email address at all? Why not just send one to the email address associated with the username? – user3154948 Nov 13 '15 at 00:18
  • 1
    @user3154948 Take this for example: A user arrives to your website, enters the PW 5 times... > you cannot know (and should not know) if the password was wrong or was it actually the username! The user probably entered 5 times the correct password, but the username was wrong! Your system should never do such assumptions, and for security reasons should never return to the View the exact error. Simply do like: "I forgot my password" > "I forgot my username" buttons and proceed as suggested with the *reset* of one of them. – Roko C. Buljan Nov 13 '15 at 00:26
  • Okay, that makes it all make sense now! Excellent Explanation, simple for tired, code weary minds, like mine, to understand! – user3154948 Nov 13 '15 at 00:30
  • In the scenario I presented, technically I am not really locking the account at this point, I am blocking the ip address. My users are elderly, but usually not senile so this is more of a brute force deterrent than anything and I need to keep it as simple as possible for the few that don't have their info written down on a little slip of paper attached to the side of their screen...lol – user3154948 Nov 13 '15 at 11:08
0

EDIT: In case that you do not act as an email account provider:

You should definetly check if the email address is valid, before you send the email. The token you send should always be associated with an actual account, as well. Otherwise it would be possible to change the password of any account you wish. So my suggestion is:

  1. User enters email address
  2. The backend checks if that email address is existing (which the user has told you during the creation of his account). If yes, then generate a token and associate that token with the account. If not, dead end.
  3. Send the token to the email address. User can click on it, verifies that he is the owner of that email address (and of that account, too) and is able to change his password.

If you act as an email account provider you could send him the token to a second email address, which the user has told you, when he registered his account. A better solution would be to send him a token via text message or via mail.

Benjamin Lücking
  • 136
  • 9
  • How should that work? Imagine you lost your password. How can you verify, that you are the owner of that account? One possibility is that they send a new password to the email address that you own. What is your alternative? – Benjamin Lücking Nov 12 '15 at 23:11
  • @BenjaminLücking No, we do not an act as an email account provider. – user3154948 Nov 12 '15 at 23:22
  • So I do not see any problems why you should not send a token to the member's email address. He or she can alternatively enter his or her username and gets his/her token by email. – Benjamin Lücking Nov 12 '15 at 23:28