Answer the question
In order to leave comments, you need to log in
Question about the password recovery form on the site
We made a form with a field for entering mail and a "Retrieve password" button.
When you click on it in the mail (if there is one in the database), a link of the form is sent.
site.ru/fastlogin/[email protected]/823497378934270324789543
By the link, we determine whether the mail and password hash (823497378934270324789543) match the account data. If yes, then the person is automatically logged into the site. That is, I followed the link and was already logged in.
Everything seems to be very easy and convenient. But it feels like there are some pitfalls here. Maybe you will see them?
Answer the question
In order to leave comments, you need to log in
It is necessary to remember in the database when such a link is generated, and adhere to a certain TTL for it, I have analyzed how often users recover their password (for example, an online store), in 99% of cases it happens like this: we go to the site, we don’t remember the password or login, we go to recovery form, write your mail there, and immediately go to the mail to wait for the link .
Those. with the “expiration date” of such a link, say, 1 hour, everything should work without problems, and not give a chance to brute force the password hash.
Well, of course, if the user has not poked on the site in “recover password”, then there will be no TTL in the database, which means that this is protection against the generation of such links with mail / password hash pairs.
This should not be a hash of the password, but a random set of characters that is generated when you click "recover password" and which has a certain expiration date.
Such a link can get into the browser history, etc. (remember about hitting search engines with links to orders in online stores?)
Only if you try to brute force the hash, i.e. to carry out multiple transitions on the generated links, in which the e-mail we need is as a constant, and the hash is generated each time.
Here you can come up with some restrictions on the number of hashes for a particular email, i.e. three hashes per hour for one email, anything above that counts as a hack attempt.
And how is the fact that the user wants to recover the password fixed? That is, you clicked the "Retrieve password" button on the site?
I can describe the implementation on one of our projects:
1) the user enters email;
1.1) check the existence of this account;
2) we send a link to the mail with a unique generated identifier (which is tied to the account), by clicking on which, the user will be taken to a page with 2 input fields - a new password and confirmation.
3) when submitting the form - we write the hash of the new password in the temporary password field and send a link to the user's mail to confirm this operation (password change).
4) the link has a “lifetime” (we have 6 hours) - if the user has followed the link during this time, we replace the password hash with a new one and, voila, the user has a new password.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question