Password reset by emailing temporary passwords

Question

A group in my company is implementing a single-sign-on REST API for our applications. This authentication service has a password reset function. The application sends the user

Answer 1

There's not really a better way for the general public. If it's an internal app, you could conceivably send encrypted e-mails that users have to decode with PGP, but that'd never fly for external users unless you've got a very high-value, niche product.

If e-mail is out, you'd have to use something like security questions, but they have their own (more significant, in my opinion) issues. Issues include:

• Guessable. Questions like "favourite colour" are fairly susceptible to guessing common choices like 'red', 'blue', 'green' etc.
• Findable. Many are things off a Facebook/MySpace/Twitter/Flickr profile or otherwise Googleable.
• Forgettable. I've selected "favourite vacation spot" and then a year or two later not been able to remember what I'd picked.
• Hard to parse. If I type "St. Paul" for a city name, but later come back with "Saint Paul", would that be accepted?

Answer 2

There are plenty of more secure ways to reset a password. All of them are highly inconvenient to your users and expensive to maintain. Having every user send you a DNA sample and fingerprints and then requiring them to show up in person to be verified should help with your security. I'm surprised your top secret organization is allowing you to get security advice on stackoverflow. All kidding aside, how secure does your application need to be? Will attackers really be resetting your user's passwords and then accessing their email?

XKCD always says it best http://xkcd.com/538/

Answer 3

Are there any significant security reasons to prefer one method over the other?

Yes. If you go the temporary password route then anyone can annoy the crap out of a user by constantly hitting the reset link and putting in that user's email address. If you use password reset links the user can just ignore them and delete the emails.

Answer 4

In both cases, the private information (temporary password or reset link) is transmitted over the same medium. From this point of view, there's no difference in security. However, the reset link as a few advantages: You force the user to choose a new password. As soon as he does so, the link is void and cannot be abused. Temporary passwords, on the contrary, tend to be not as temporary as you like. Even if you force the user to choose a new password on the next logon, he is likely to enter the temporary one again.

Additionally, you can log the IP of the one who uses the reset link, so have at least something to hand over to the authorities if necessary.