Resetting passwords without emailing the user

Question

We need to provide a way to reset password for users who are using our website. The typical way is to send email to the user and ask to click on the link to reset.

The issue is that we don't want to run a mail server just for the purpose of resetting password. Is there other clever way of reseting password without having to mail the user?

EDIT: This is for users who forgot their passwords.

Answer 1

I had this same issue with a very odd and demanding client. The site was a company intranet, that could be accessed via a VPN for telecommuters. One of the requirements (it was written in bold):

Password re-set mechanism should be convenient and not rely on e-mail. Re-set requests must be granted conveniently and require evidence that the site trusted the visitor prior to the re-set request

What I ended up doing was generating a Manderbolt (100x100) for the user to download as their 're-set' token, along with some secret questions that they would have to answer. To change their password, they would have to answer their questions and upload their fractal (the quadratic plane was defined based on their private information with simple hashing to avoid collisions).

This satisfied a requirement that password re-sets had to be based on what they had as well as what they knew. If they lost the fractal or forgot the answers to their secret questions, they had to appear in person to have the password re-set.

Not exactly bullet proof, but it satisfied the needs at the time. The challenge was making the fractals unique (at least 30 pixels unique), since most users shared a lot of common private data (city, state, area code, etc).

Edit

The fractal (rather, a one way representation of it) was used elsewhere as well. Think RFID + camera.

Answer 2

Use OpenID. Then it becomes the problem of an OpenID service provider to recover your users' passwords. And your users will be thankful for they don't need to remember yet another stinky password.

Answer 3

You can immediately expire their current password and require them to change it next time they login. A couple of password reset systems do this.

EDIT: Since this is for users that forgot their password rather than a forced change, you should just take them directly to the link you would have emailed them anyway when they forgot their password. Make them enter an e-mail address they registered with and some other data you can validate with. Basically, what the other answers said.

Answer 4

There must be some class that comunicates directly with remote SMTP server (e.g., ISP's SMTP server) by using sockets - just find such class and you won't have to run private SMTP server to send e-mails.

Answer 5

You need some way to validate the user's identity to prevent other people resetting the password. Perhaps you could get them to set up some questions (like mother's maiden name, favourite colour) when they sign up. They can only reset their password if they correctly answer the questions.

Answer 6

You could use standard mail to send new password :-).

Generally you need to verify that user which is trying to reset the password is the one who was originally registered. The easiest way is to send password reset link to email used on registration. Alternatively you can have some kind of security question, which will allow to reset the password, but most people will choose something really lame and you end up with server where it is quite easy to steal identities.

Answer 7

The usual answer to this would be some form of security question. If you don't have some barrier for the user to cross, you open the system up to allow almost anyone to reset the password.