Good password recovery methods

Question

I am currently worrying about a password recovery method for users of a web application.

One idea would be to use an E-Mail with a recovery url, only asking the user for his/her user name, but if he/she forgot that too, ask for e-mail address.

Another idea would be to use "secret questions" and then send the password to the user.

Do you know any other, possibly better, options for password recovery? Are there any downsides, besides user frustration, to have a "wrong password limit"?

EDIT: Yesterday I was told that in some of the older versions, which are still updated and used by some customers, neither E-Mail addresses nor user names have to be unique.

So I'm totally stuck now. The only thing coming to my mind is using a secret question which the user can select after first login. But instead of sending an E-Mail opening the "new password dialog" directly.

Do you have any more ideas?

Answer 1

My opinons: Assuming you require a user's email address to be unique among all registered users have the password recovery page ask for the user's email address. You can make it "username or email address" but I don't think that little tweak will help enough users to justify your additional backend processing.

For added security do not confirm or deny that the username or email address was found in your database.

An email with a reset password link should work fine. Use a hash (the longer the better; definitely 20 characters or more) so a hacker can't easily guess reset links. For added security specify a time limit after which the reset link will no longer function.

Once the user clicks the link and chooses a new password, do not automatically log them into their account; make them login from scratch. This will make sure they know their new password and will reduce the chances of a bug in your password recovery code letting hackers directly login to accounts.

Remind users to check their spam folder, and provide a window of time in which they can reasonably assume they should receive the reset link (so they know how long to wait before complaining to you).

Security questions are usually a bad idea. First off, users struggle to remember what their answer was. It's like adding something to a user's password but giving the world a hint to what that extra part could be. AND the answers will tend to be case insensitive and only alphabetic or alphanumeric.

Make sure you include a way for the user to contact you if the password recovery system isn't working for them. Be cautious, though, as this could be an avenue for a Social Engineering hack.

Password limits can be frustrating for users. Think long and hard about implementing this, how many attempts you'll allow, and the consequences of exceeding that limit. Most people have variations of a single password. Now, that's not smart from a security standpoint, but it happens. A reasonably acting user could very well try hooper2012, Hooper2012, hooper20121, Hooper20121 in under a minute.

Maybe you could, say, after five failed attempts make the user wait 60 seconds between any future attempts. Double that to 120 seconds after an additional five failed attempts. Continue doubling the wait period every five failed attempts. If you let that continue until, say, 50 consecutive failed attempts the minimum amount of time it'll take to exhaust those 50 attempts will be 1 day 18 hours and 35 minutes. I'd definitely recommend having something in your code to notify you of any accounts with more than 12 consecutive failed attempts in a day.

After 50 consecutive failed attempts temporarily deactivate the account, and require the user to contact your technical support. Again, be wary of social engineering.

Reset the wait period to 0 once the user provides the correct login credentials.