7

Would there be any big issues if they never expire?

Somebody forgot his password and requests to reset his password, an email with the password reset link is sent to him.

He then suddenly remembers his password and so he simply ignores the password reset email. But after a few days, he forgot again. Since he already has a password reset email in his mailbox, he simply clicks on that link to go back to the website to reset his password.

This seems ok, so why should we make account activation/password reset links expire after some time?

BartoszKP
  • 34,786
  • 15
  • 102
  • 130
bobo
  • 8,439
  • 11
  • 57
  • 81
  • 2
    This is one of those cases where the potential advantages of expiration (relating to security and privacy concerns) outweighs the drawbacks (in your example, the user doesn't have to go back and request another password reset). Unless you have a good reason *not to*, follow the standard. – Cody Gray - on strike Dec 23 '10 at 04:32

1 Answers1

7

What if their email account was compromised. The attacker then sees all these "password reset" links and clicks through them further compromising more accounts. Among them your service which may use Real Money or Credit Card information.

EnabrenTane
  • 7,428
  • 2
  • 26
  • 44
  • 8
    If his email account has been compromised and the attacker sees that email, even if the link is not a permanent one and has already expired, he can still go to that website and request a password reset email and so the attacker can still compromise that account. – bobo Dec 23 '10 at 08:58
  • 1
    Reset password links should also get marked as *used* so sniffers and request logs could not be used to reset passwords again. – crizCraig May 15 '11 at 23:47
  • Once your email is compromised, you're pretty much screwed as far as accounts go but using some form of easily remembered challenge and response (you know, the standard "What was your first pet's name?" type stuff) can make reset links slightly more secure against the casual hacker. A hacker who is targeting a specific individual probably has, or can find that information quite easily but then that's somebody dedicating time and effort to compromise a specific individual's online identity. – Endophage Feb 18 '12 at 08:23
  • @Endophage Good points. However making reset links expire isn't too hard if you store the key in some form of memcache with a key expiration of 24 hours or something. It seems just too easy to not do. – EnabrenTane Feb 19 '12 at 01:37
  • Ummm, I never said you shouldn't expire email links, in fact I advise it, after a time much shorter than 24 hours. I've built a number of user management systems and I advise expiring links after no more than a couple of hours. Users shouldn't be requesting reset links to use later. However, adding a challenge question of some sort makes the link even more secure. Equally bobo's comment points out that once an email account is compromised, expiry times are irrelevant, the attacker can simply request another reset link. – Endophage Feb 20 '12 at 04:04