What is the best “forgot my password” method? [duplicate]

Answer 1

There is an additional option that you can use in combination with any of the options that you mention:

You can let the user write a reminder for their password, that you send to them as the first step when they have forgotten the password. If the reminder doesn't help the user, you can go on to the next option.

As the reminder isn't the password itself, it's safe to send by mail (or perhaps even display directly on the page).

Answer 2

Just a quick note on something not specifically in regards to your question. You mentioned you used MD5 to hash stored passwords. Regardless of whether you choose to use Options 1 or 2 (3 is going to be the least secure as, for obvious reasons), MD5 is a cracked hashing algorithm, and can actually make it fairly easy for hackers to gain access to accounts protected by MD5 hashing.

You can read more about the vulnerability it at the following URL: en.wikipedia.org/wiki/MD5

A better hashing solution would be something like SHA, which is still a stable and secure hashing algorithm. Combined with option #1 or #2, you should have a reasonably secure system in place to protect your users passwords, barring all but the most determined hackers.

Answer 3

Either option 1 or 2 would be fine. As you said, option 3 is insecure as you would need to store the clear text password. You could probably get fancy and use a reversible encryption algorithm to store/retrieve the password, but with better alternatives available to you there's no reason to go down that road.

Answer 4

I agree with your comments about option #3 being insecure.

As for programming either #1 or #2, option #2 is easier to program but #1 isn't much harder and both are probably about as secure as each other.

Whichever option you choose, you can also consider making it more secure by including requests for personal information (that you obtain during registration) as part of the forgotten password process.

I've programmed systems where you have a username and to get a new password you have to enter both your username and your email address. You can get sent a reminder of your username but the main point is that someone probably won't be able to guess your username and your email but if you do it just on email, there's less secure.

Secret questions are an approach to the personal information part. I personally think they don't offer a lot of value as people tend to choose questions that many people will either know the answer to, be able to guess or be able to find out. It is better than nothing however so long as you use it in conjunction with an already relatively secure method.

Obviously the more of this you do, the more programming work it is.

The simplest method is:

1. Have a "remind me of my username" link (enter email). Don't tell the user if an email was sent or not because people can use that to find out if an email address is of a member. Always tell the user to check their inbox for the reminder email but only send it if someone is a member; and
2. Require both username and email to get sent a new one-time password. That password should only last an hour or so. When the user uses it, they should be forced to change their password immediately.

Answer 5

Instruct the user come personally to your offices and prove her identity with id card or passport.

This, of course, assumes that you have offices near your users and that the account are valuable enough to justify this procedure. Suitable for example banks.