Best way for a ‘forgot password’ implementation? [closed]

by

Update: revised in May 2013 for a better approach

  1. The user enters his username and hits “forgot password”. I also recommend the option of entering the email address instead of the username, because usernames are sometimes forgotten too.
  2. The system has a table password_change_requests with the columns ID, Time and UserID. When the new user presses the button, a record is created in the table. The Time column contains the time when the user pressed the “Forgot Password” button. The ID is a string. A long random string is created (say, a GUID) and then hashed like a password (which is a separate topic in and of itself). This hash is then used as the ‘ID’ in the table.
  3. The system sends an email to the user which contains a link in it. The link also contains the original ID string (before the hashing). The link will be something like this: http://www.mysite.com/forgotpassword.jsp?ID=01234567890ABCDEF. The forgotpassword.jsp page should be able to retrieve the ID parameter. Sorry, I don’t know Java, so I can’t be more specific.
  4. When the user clicks the link in the email, he is moved to your page. The page retrieves the ID from the URL, hashes it again, and checks against the table. If such a record is there and is no more than, say, 24 hours old, the user is presented with the prompt to enter a new password.
  5. The user enters a new password, hits OK and everyone lives happily ever after… until next time!

More Related Contents:

  1. Disable browser ‘Save Password’ functionality
  2. Difference between Hashing a Password and Encrypting it
  3. JWT (JSON Web Token) automatic prolongation of expiration
  4. Is “double hashing” a password less secure than just hashing it once?
  5. What is token-based authentication?
  6. Authentication versus Authorization
  7. Where to store JWT in browser? How to protect against CSRF?
  8. Non-random salt for password hashes
  9. SHA512 vs. Blowfish and Bcrypt [closed]
  10. Encrypting/Hashing plain text passwords in database [closed]
  11. JWT refresh token flow
  12. SPA best practices for authentication and session management
  13. Forgot Password: what is the best method of implementing a forgot password function?
  14. What algorithm should I use to hash passwords into my database? [duplicate]
  15. How do I store and retrieve credentials from the Windows Vault credential manager?
  16. Symfony2 extending DefaultAuthenticationSuccessHandler
  17. Moving old passwords to new hashing algorithm?
  18. What is the best Distributed Brute Force countermeasure? [closed]
  19. Should I hash the password before sending it to the server side?
  20. How to do stateless (session-less) & cookie-less authentication?
  21. Using Symfony2’s AccessDeniedHandlerInterface
  22. Why not use MD5 for password hashing?
  23. Should I impose a maximum length on passwords?
  24. How to manually decrypt an ASP.NET Core Authentication cookie?
  25. Secure Google Cloud Functions http trigger with auth
  26. Google Authenticator available as a public service?
  27. Best practices for server-side handling of JWT tokens [closed]
  28. What are best practices for securing the admin section of a website? [closed]
  29. What is the best “forgot my password” method? [duplicate]
  30. Do I need a “random salt” once per password or only once per database?

Leave a Comment