forgot-password

I'm wondering if there is a manner of calling the 'forgot password' procedure without forcing my user to log out The case I'm running into is: 1. a user logs in with facebook, a fake password is generated for them 2. the user then wants to change their email/name/password, or just use non facebook login since devise requires a password to change these fields, as it should, the user is unable to modify them I had thought about just not forcing the password to be set but that doesn't make sense security wise so instead I just display the fields as text and notify the user to follow the 'forgot

As far as I can think, there are two reasonable ways to reset a user's forgotten password. Have the user enter their email address and a new plaintext password is sent to their email address. A link is sent to their email address which has a UID number in the URL. Clicking on this takes the user to a form on the website where they can choose there own new password. Which method is preferable and why? If method 1 is used, perhaps a third party could read the email and obtain the new password. If method 2 is used, what is to stop someone methodically going through UID codes to try and access the

Evaluting the method signature, it is required to know old password while changing it. membershipUser.ChangePassword(userWrapper.OldPassword, userWrapper.Password) Is there any way to change password without knowing old one. string username = "username"; string password = "newpassword"; MembershipUser mu = Membership.GetUser(username); mu.ChangePassword(mu.ResetPassword(), password); The other answers here are correct, but can leave the password in an unknown state. ChangePassword will throw exceptions if the password doesn't meet the requirements laid out in Web.Config (minimum length, etc.).

I'm trying to get all of my system's email notifications under one umbrella using PostMarkApp and utilizing the Rails gems ( postmark-rails , postmark-gem , and mail ). I have successfully created a mailer that handles sending receipts for purchases but I haven't been able to receive emails for forgotten passwords. My development logs show that Devise sent the message but no email is received in my inbox and the PostMark credits are not decremented. What's the best or easiest way to have Devise's mailers send through my PostMark account? Snippet from config/environments/development.rb config

I've seen various questions regarding this issue, but there are a couple of questions that haven't been asked. If the user forgets their password, I would like them to be able to reset it with only their email address (i.e. there's no security question/answer). The password is stored as a salted hash, so there's no recovery possible. Instead, I'd just like the user to enter a new password after confirming that they have requested a reset. A common method that's been mentioned is to simply: 1) Create a random Guid/Cryptographically strong random number 2) Send a unique URL containing the random

Possible Duplicate: Forgot Password: what is the best method of implementing a forgot password function? I'm programming a community website. I want to build a "forgot my password" feature. Looking around at different sites, I've found they employ one of three options : send the user an email with a link to a unique, hidden URL that allows him to change his password (Gmail and Amazon) send the user an email with a new, randomly generated password (Wordpress) send the user his current password (www.teach12.com) Option #3 seems the most convenient to the user but since I save passwords as an MD5

I want to to implement password recovery in my web application. I'd like to avoid using secret questions. I could just send the password by e-mail but I think it would be risky. Maybe I could generate a new temporary random password and send it by e-mail but I think it is as risky as the above point. Can I send a url by e-mail for example http://example.com/token=xxxx where xxxx is a random token associated with the user. So when the user navigates to that url he/she can reset the password. First off, do not store a plain-text copy of the user's password, or even an encrypted version. You want