security - How to keep passwords safe when a "Forgot Password" function is available -


a colleague , discussing how implement "lost password" feature on our company's proprietary web application.

we have decided create account there 3 required elements

1) screen name
2) email address (used logging in)
1) password (obviously, used logging in. stored one-way hash)

once have info, user attempting sign sent verification email link , activation key. activate account need follow link, enter activation key, , re-enter email , password. if matches presto! new user account activated.

after account activated, lets user forgets password. have 2 ideas how handle situation.

idea 1

  1. user clicks "forgot password"
  2. user prompted account's email address
  3. if email matches active, non-closed account, send temporary password validated email address
  4. user attempts log in temporary password
  5. if temporary password matches email address, prompt user reset password. prevent full login until temporary password replaced.

idea 2

this require secret question , secret answer data collected during signup.

  1. user clicks "forgot password"
  2. user prompted email address , answer secret question
  3. upon validating both, user allowed reset password

concerns

one concern have (internal our company) multiple employees use single login account. of think eliminates secret question method option.

however, password sent email (temporary or not) vulnerable email not secure.

question summary

considering internal operational constraints (multiple people single login) of these ideas secure , user-friendly option? or, neither adequate?

edit

could stack overflow me out evaluating answers? there few opinions expressed below, there isn't indication answers' quality.

in systems when requests lost password i:

  1. i generate guid , store in database along date/time of request.
  2. send user link guid encoded when click on link ties them guid
  3. make sure guid/link has not been 'used'.
  4. make sure request not older 30 minutes (for security purposes have small window of time use activate link - known message on request password screen)

if conditions true, let them create new password.

generally speaking, though email not terribly secure, if someones email account compromised, have huge security hole, telling them have 30 minutes re-activate accounts, cuts down on window when misuse information: can used once, goes known email address, , can used 30 minutes...for type of systems have done, secure enough without burdening users (or admins) much.


Comments

Post a Comment

Popular posts from this blog

asp.net - repeatedly call AddImageUrl(url) to assemble pdf document -

i'm using abcpdf , i'm curious if can recursively call addimageurl() function assemble pdf document compile multiple urls? something like: int pagecount = 0; int theid = thedoc.addimageurl("http://stackoverflow.com/search?q=abcpdf+footer+page+x+out+of+", true, 0, true); //assemble document while (thedoc.chainable(theid)) { thedoc.page = thedoc.addpage(); theid = thedoc.addimagetochain(theid); } pagecount = thedoc.pagecount; console.writeline("1 document page count:" + pagecount); //flatten document (int = 1; <= pagecount; i++) { thedoc.pagenumber = i; thedoc.flatten(); } //now try again theid = thedoc.addimageurl("http://stackoverflow.com/questions/1980890/pdf-report-generation", true, 0, true); //assemble document while (thedoc.chainable(theid)) { thedoc.page = thedoc.addpage(); theid = thedoc.addimagetoc
Read more

java - Android recognize cell phone with keyboard or not? -

in android app, want detect user's device if device has keyboard(like motorola milestone) , show corresponding user interface. guys know how that? ! regards justicepenny http://developer.android.com/reference/android/content/res/configuration.html public int keyboard the kind of keyboard attached device. 1 of: keyboard_nokeys, keyboard_qwerty, keyboard_12key. that's it!
Read more

iphone - How would you achieve a LED Scrolling effect? -

how achieve led scrolling effect example below? led sign - led ticker emulator iphone , ipad http://img.skitch.com/20101201-rsfh4p1bajb1wp94k466pdpiuj.preview.jpg sometimes remunerates comment in other posts :) have put code you, should implement font '8pin matrix' realistic feeling. uilabel *label; - (void)viewdidload { [super viewdidload]; label = [[uilabel alloc]initwithframe:cgrectmake(10, 50, 300, 20)]; label.font = [uifont fontwithname:@"courier-bold" size:16.0]; label.backgroundcolor = [uicolor blackcolor]; label.textcolor = [uicolor greencolor]; label.linebreakmode = uilinebreakmodecharacterwrap; // otherwise "…" label.text = @"this led text scrolled "; // blanks space between [self.view addsubview:label]; [nstimer scheduledtimerwithtimeinterval:0.12f target:self selector:@selector(scrolllabel) use
Read more