So Im planning to use phpass for hashing passwords for my authentication system in php. My question is, what is the best practice when someone requests to recover their password because they forgot it? Would you implement a question/answer system and allow them to reset it on the site? Or would you temporarily reset their password with a random password string and send it to them via email? Requiring them to change it on next login? Or is there a different, better approach?
Asked
Active
Viewed 504 times
1
John
- 9,840
- 26
- 91
- 137
2 Answers
2
Query/responses can be insufficient if the user chooses easily-guessed questions or if the attacker has intimate knowledge of the victim. Many high-profile sites take advantage of the information provided by the original user: an email address. Send a password reset link to the email address, and allow the user to reset the password by following the link.
George Cummins
- 28,485
- 8
- 71
- 90
-
1@George Cummins Ok, how would I verify the user is allowed to reset their password? Create a unique random generated tokey/key in the database and send them that key? Then when they hit the page it matches the email address to that key and if a match then allow them to reset the password? – John Jun 28 '11 at 15:39
-
@John: Yes, that is the typical pattern. You should also ask for a bit of identifying information when the user submits the new password (account number, last transaction, etc). – George Cummins Jun 28 '11 at 15:40
-
Fishnet Security published an interesting paper on the available techniques. Their preferred method combines several authentication steps: http://www.fishnetsecurity.com/Resource_/PageResource/White_Papers/FishNetSecurity_SecureForgotPassword.pdf – George Cummins Jun 28 '11 at 15:42
-
@George Cummins When they setup their account to begin with I could ask them for something like a 4 digit pin number. That could be used for an identifying information. Or is that a little overboard? – John Jun 28 '11 at 15:42
-
@John, my personal opinion is that a PIN in addition to a password is too much for a user to remember and is easily forgotten. Security questions (in addition to the email-link-to-reset scheme) may allow your users a better chance of remembering, but may also annoy users who want to quickly complete the registration process. You can add as many steps as you like, but you should balance security with convenience. – George Cummins Jun 28 '11 at 15:46
-
@John if I don't remember my password, you can be sure that I also don't remember the 4-digit pin code I entered on registering and used it never again. – Carlos Campderrós Jun 28 '11 at 15:47
-
@George Cummins Im reading the document from the link you gave me and it recommends a question/answer setup as the best/secure method. The method of a temporary password was considered a weak solution. – John Jun 28 '11 at 15:52
-
@John: I agree that a temporary password should never be used. My recommendation was to start with an emailed token and link to the password reset page. Their approach does not start with the emailed token, but presents the user with three steps to recover the password. Each additional level will add more security, but an attacker with knowledge of the victim can still obtain each of those pieces of information. I think the emailed link is the ideal starting point. You can use as many of the query/response steps as you wish after that point. – George Cummins Jun 28 '11 at 15:55
-
@George Cummins Thanks for the info and thanks for the document. Reading it was really helpful. Yeah in the document he feels emailing any sensitive information would be a bad thing. The only email they should get is a confirmation their password was reset. But emailing a reset token would add another level of security IMO because the attacker would have to sniff the traffic to get the token or get into the users email. Then clicking on the link the hacker would need to know the answers to the questions and the users login info. – John Jun 28 '11 at 15:58
0
Refer to Jay's answer at Implement password recovery best practice for ideas on how to make password recovery more secure and why security questions are a bad idea.
Bruce Schneier also has thoughts on the subject.
I'd recommend what Duncan suggested.
However, what you should not do:
Send the password - because after all, as has already been mentioned, you don't have it.
Generate a new temporary password - not only is this as insecure as sending the password, it also leads to the possibility of a denial of service attack. I can go to the site, pretend to be you, request a new password and then (if you haven't checked your email) you can't log in, don't know why and have to request a new new password ...
The token is probably the way to go. Receiving it notifies a forgotten password request, but doesn't take any action unless you confirm. You would also make it a one-time token with a relatively short expiry time to limit risk.
If anything a security question should be used to allow a user to initiate a password reset request. I.E. You need to provide your email and security question answer to send the password reset request.
Community
- 1
- 1
Christopher Manning
- 4,527
- 2
- 27
- 36