Forgot Password Feature Spring (Password Retreival)

Question

I am building a web application which involves a user registering and logging in. I am trying to implement a feature that enables users to retrieve there password to their registered email address. So a message would be sent to re-type their password or just provide their password within that email. I am using spring, is there any tutorials/articles where someone shows an example of this being implemented? All answers would be appreciated. Thanks

Answer 1

Since you tagged "java" in the question, I think this info can be useful here: I have implemented a JAVA project for this use case. It is on GitHub, open source.

There are explanation for everything (and if something is missing - let me know...)

Have a look: https://github.com/OhadR/Authentication-Flows

This is the client web-app that uses the auth-flows, with the README with all explanations. it directs you the implementation: https://github.com/OhadR/oAuth2-sample/tree/master/authentication-flows

Answer 2

There are basically two approaches.

1. Send them an expiring link to a page which lets them change their password, preferably after answering a couple of extra security questions such as mother's maiden name, favorite color, dog's name, first teacher, ... that only they would know, and that they have already told you when registering. You can see for yourself that this is reasonably secure, by the expiry of the link and the nature of the secret questions.

2. Send them their own password. This has all sorts of security problems. For a start, you shouldn't even know their password in the first place: only a hash of it; otherwise your system is subject to a major legal constraint called loss of non-repudiability, which you should discuss with your corporate lawyers before going anywhere near. Second, anybody who intercepts the email can use the password for their own nefarious purposes, which again puts you into repudiability of all transactions, which basically sends you broke.

Don't use (2) :-|