What is the best “forgot my password” method? [duplicate]

Answer 1

Read the OWASP top ten to make sure your method is compliant.

Here is the direct link.

Answer 2

I've tried a couple of methods that I've not really been happy with. What I've settled on for the next project is to:

1. User enters username and email address
2. Email sent with link containing url and guid param which has been stored in db with 48 hour expiry
3. User confirms password to be reset
4. New password is emailed to user
5. Login with new password displays message or redirects to change password page.

Answer 3

There's no real difference between the security of option 1 or 2. Option 1 is effectively the same as preloading the new password in the form.

In fact, with the prevalence of phishing attacks, one could argue that encouraging use of option 1 with long URLs could make people less alert about clicking on long mysterious URLs.

Answer 4

Note that Option #2 also requires you to keep track of the old password and expire the new random password if it isn't used within, say 24 hours.

Otherwise I could annoy you by repeatedly issuing you a new random password -- if you are not near your email you might not know why you cannot log in with your normal password.

Also, please avoid requiring an "identification question". The answers to these questions are typically much easier to guess/lookup than real passwords -- so everybody can identify themselves as me. See the Sarah Palin story for a recent example of how insecure this is.

Answer 5

Option #1 is probably the best. #3 is insecure (and I also suggest using something stronger than MD5, such as SHA1). Option #2 is not good because it allows any random person to lock you out of your account until you check your email, unless you use a security question. And security questions are often easier to crack than passwords.

Answer 6

You could made a mix between #1 and #2, taking advantages from both:

Send the user an email with a link to a unique, hidden URL that allows him to change a new randomly generated password.

That page could be SSL, and the password could expire in 12-24 hours.