1

I'm performing a password reset mechanism for my ASP.NET application.

and I'm wondering since if someone gains access to my database, they can easily read the password reset tokens and change users' passwords as well, shouldn't I hash the 'password reset tokens' and then store them in my database?

Note: I'm talking about "Password Reset Tokens", not the actual "Passwords"

Arad Alvand
  • 8,607
  • 10
  • 51
  • 71
  • Possible duplicate of [How do you use bcrypt for hashing passwords in PHP?](https://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php) – floreich Apr 05 '18 at 22:31
  • The reset tokens should expire within a few hours. – Ron Beyer Apr 05 '18 at 22:33
  • @RonBeyer I do know that. Read my question again – Arad Alvand Apr 05 '18 at 22:34
  • I don't see any mention about expirations, how many active reset tokens do you believe you may have at one time? You can also use 2FA, but there is no harm in hashing the tokens like a password. – Ron Beyer Apr 05 '18 at 22:36
  • if someone gets access to your db, password reset token will be your last worry. – dee zg Apr 05 '18 at 22:36

3 Answers3

6

If a "password reset token" allows someone to reset a password with other clear text information, then it's effectively the same as a password and should be treated as such.

Make them expire of a few minutes or hours, and treat them like secrets, because they are.

jdphenix
  • 15,022
  • 3
  • 41
  • 74
4

Yes, I would recommend you to hash you reset tokens and just then store them in the database.

Also after using them, deleting the record would also be a good practice. You can use a AesCryptoServiceProvider or some other cryptographic provider to do the job. There are many code samples on how to use them.

Rodrigo Werlang
  • 2,118
  • 1
  • 17
  • 28
1

I recommend doing it and consider it good practice to do so.

You should already have the infrastructure in place to do it fairly easily, as you should be doing that already with the passwords.

Benefits:

  • Cheap to implement (existing infrastructure should already be in place)
  • More secure (less room for security issues)
  • Peace of mind
Rick Paul
  • 76
  • 6