What is a secure and efficient method for website users to reset their password?

Question

Many sites implement different methods and I am having a hard time deciding on which method would work best for my site.

My user profiles contain the following data:

username
password (in hash/digest form)
email

I'd like the password reset method to be secure, user-friendly, and efficient.

Answer 1

You should not store the passwords of your users, not even in encrypted form. You should only store the hash/digest necessary for authentication. Then, you can't "recover" the password (because you don't know it), you can just reset it, and/or give the user a temporary one-time password that allows him to set a new password.

Update: if you are doing the above, the standard procedure is to have a "require-password-reset" form. The user enters his id (typically his email) and a "token" (eg, a random string) is generated, stored in some table with some expiration date, and sent to his email along with a link to the "password-reset" form. In this form the token is checked, the user is allowed to enter a new password, and instructed to attempt a new login.

Update 2: A small privacy issue might arise: What should we do if the user id (email, user name, or whatever) entered in the request form does not exist in our database? To output a message "User does not exist. Check the id and retry." may be ok, but in some cases it would cause a privacy problem: anyone can check if other someone is registered in your database! If you want to avoid that, you must output the same message ("a mail has been sent with instructions...") even if the user wasnt found (and hence a mail was not actually sent). Similar privacy issues advise to just output the message "login incorrect : bad user or password" when the user tries to login unsuccessfully - don't disclose if it was an incorrect user or password.

Answer 2

You should add two fields, reset_code and reset_expiry

This is the process for a secure password reset functionality.

• User selects "Forgot password".

• User prompted for email/username.

• If valid, generates a GUID, and stores it in reset_code and also stores Now()+24 hours in reset_expiry in the database against that particular user.

• Then it sends an email to the email address with a link to confirm the password reset. This email would contain a link to your website with the user's username AND reset_code embedded. (This stops a malicious user resetting a third parties password just by knowing their email)

• Once the user clicks on the link in the email, they will be directed to your website. Your website will validate that: the username and reset_code matches, and the current time hasn't exceeded the reset_expiry time.

• If all is okay, we can complete the password reset. This can be done by either:
  a) Onscreen a new randomly generated password
  b) A new randomly generated password via email
  c) The ability to enter a password of his/her own choosing
  

Answer 3

I agree with Leonbloy. Storing the password leads to trouble like the Gawker incident from a few weeks ago (1.5 million userid/pwd combinations were discovered and published).

You should, however, have a "reset password" function that e-mails the new password to the original e-mail address used to open the account.

There should be no provision for changing the e-mail address during the password reset. If the user doesn't have access to the old e-mail account anymore, too bad. Abandon the account and start over.

And use a good Captcha on the reset screen.