How to securely implement a password reset on a website

L

likejavascript2013-04-12 08:57:20

Passwords

likejavascript, 2013-04-12 08:57:20

Actually a subject. I need to implement a password reset function on my site.
I have never had to do this before, so I want to know from you how to do it right from a security point of view.
PS: Or if it takes too long to paint, then please throw in some articles on this subject. Surely the topic has already been beaten.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

D

Denis Oleshkevich, 2013-04-12
@likejavascript

I recommend this option:
1. The user requests password recovery
2. We send him an email with a special link containing the token
3. The user follows the link from the email
4. Verify the token, then authorize it and let it set a new password
5. Save the password hash in the database
Subtleties:
- Token - a fairly long string of random characters
- The token must have an expiration date, for example 1 hour. This will protect the system from iterating over tokens.

H

himik, 2013-04-12
@himik

1. the user enters the soap, you send a link with the generated token there
2. after clicking on the link from the soap, either let you enter a new password, or again send a newly generated password to the soap

L

lubezniy, 2013-04-12
@lubezniy

In case the soap is unavailable, it will not hurt to send an SMS to the phone and enter the received code on the site. But this is more difficult.