Best way for a 'forgot password' implementation? [closed]

Answer 1

If you include an email address with the registration. The "forget password" button sends an email to that email address. It ensures that the information is send to a trusted email.

(Unless the database is hacked, but then nothing is safe).

Answer 2

Update: revised in May 2013 for a better approach

1. The user enters his username and hits "forgot password". I also recommend the option of entering the email address instead of the username, because usernames are sometimes forgotten too.
2. The system has a table password_change_requests with the columns ID, Time and UserID. When the new user presses the button, a record is created in the table. The Time column contains the time when the user pressed the "Forgot Password" button. The ID is a string. A long random string is created (say, a GUID) and then hashed like a password (which is a separate topic in and of itself). This hash is then used as the 'ID' in the table.
3. The system sends an email to the user which contains a link in it. The link also contains the original ID string (before the hashing). The link will be something like this: http://www.mysite.com/forgotpassword.jsp?ID=01234567890ABCDEF. The forgotpassword.jsp page should be able to retrieve the ID parameter. Sorry, I don't know Java, so I can't be more specific.
4. When the user clicks the link in the email, he is moved to your page. The page retrieves the ID from the URL, hashes it again, and checks against the table. If such a record is there and is no more than, say, 24 hours old, the user is presented with the prompt to enter a new password.
5. The user enters a new password, hits OK and everyone lives happily ever after... until next time!

Answer 3

I would enforce unique email addresses across the accounts.

Then it is a simple matter of sending a link to a temporary page that allows the person to change their password. (allow 24 hours or less)

The user's email account is the weakest link in this scenario.

Answer 4

As said, it depends on the level of security required, however, if you need a higher level, some novel solutions I have seen include;

• Displaying half of the temporary password when the user's identity has been confirmed (security question, email address etc.) then the other half being sent to the email account. If the email account has been compromised, it is unlikely that the same person has also managed to perform a man-in-the middle attack. (Seen on UK Goverment Gateway)

• Confirming identity via email and another medium - for example a code sent via text to a registered mobile. (Seen on eBay / PayPal)

For somewhere in between these two extremes implementing security questions may be the way to go as mentioned by DaveG.