Recover / Reset lost password options via email

Question

I am working on a C# ASP.MVC 4 project making use of the DefaultMembershipProvider and I am trying to come up with a user friendly way to recover / reset a lost password.

Answer 1

There is a flaw in your approach - you write that sending the email resets user passwords. This would be misused easily to reset passwords for any of your user by just anyone, assuming that the misusing person knows the login. In other words, I would just sit in front of your system and block other users' accounts by just clicking "i don't remember my password" and providing their user names.

So, you don't have to reset anything. The approach would be create a store for unlock requests (can be a table in a database) where each request is identitied by a guid and has an expiration date, the username and a flag to mark if a request has been used. When you send the email, you create a record in this request store and the email contains a link with the guid (note that no other information is required in the unlock email).

Then, when someone clicks the link in their email, at the server side you have the guid of the request. From your request store you read the expiration date, the username and the information if the link has been used before. Then you present a form where the user provides his new password.

Comparing to your approach, this has the advantage of not interferring with existing passwords. Also, hiding all the information at the server side and exposing only a guid to the user has the advantage of not exposing potentially sensitive information to the client (like the link expiration date).