SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Evangelist spoondevil's Avatar
    Join Date
    Jun 2001
    Location
    Harlow, Essex, UK
    Posts
    426
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Best Way to Reset a User's Password

    So on my site, users can sign up and if they happen to forget their password, they can fill in their username or email address and the backend resets their password to a random one and emails it to them - if they exist in the database.

    Would it be better to do the following though?


    1. User enters their username/email and requests their password be reset.
    2. Web site sends them an email asking if they really want to and encloses a unique hash in a URL.
    3. User can then click this URL if they really do want to reset their password.
    4. Password is reset and they are sent an email telling them the password.


    I thought this idea would be better, as you could have a malicious user on your site continually resetting everyone's passwords and then the "innocent" users wouldn't be able to access the site until they've checked their email and got their new password, gone on to the site and log in then change their password. Bit of hassle for the users.

    Is this the way that most user sites work with password resetting?

  2. #2
    SitePoint Evangelist
    Join Date
    Aug 2007
    Posts
    566
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I would personally not send them the password by email...

    Rather, why don't you derive your proposal to:
    1) User enters their username/email and requests their password be reset.
    2) Web site sends them an email asking if they really want to and encloses a unique hash in a URL valid for a couple of minutes only, and maybe checking the origin IP of the request with the IP of the confirmation.
    3) User can then click this URL if they really do want to reset their password.
    4) Password is changed, and the new password is displayed on the page.

    From there the user could change it if he want to.
    It may be me, but I always tend to not send any password by emails.

  3. #3
    SitePoint Evangelist
    Join Date
    Aug 2007
    Posts
    566
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I would personally not send them the password by email...

    Rather, why don't you derive your proposal to:
    1) User enters their username/email and requests their password be reset.
    2) Web site sends them an email asking if they really want to and encloses a unique hash in a URL valid for a couple of minutes only, and maybe checking the origin IP of the request with the IP of the confirmation.
    3) User can then click this URL if they really do want to reset their password.
    4) Password is changed, and the new password is displayed on the page.

    From there the user could change it if he want to.
    It may be me, but I always tend to not send any password by emails.

  4. #4
    SitePoint Enthusiast Tim Greer's Avatar
    Join Date
    Aug 2001
    Location
    California, home of the bear...
    Posts
    54
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Make sure to use a verified method, by having a secret question and answer, as well as their email. Otherwise anyone can start annoying users by making illegitimate password requests if they knew their email. The rest of the advice above is good, so I just wanted to add that to it.
    Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
    http://www.burlyhost.com/ Shared Hosting, Reseller Hosting, more!
    Industry's most experienced staff! -- Web Hosting With Muscle!

  5. #5
    SitePoint Guru rageh's Avatar
    Join Date
    Apr 2006
    Location
    London, Formerly Somalia
    Posts
    612
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I agree with Tim Greer.

    I also add that don't make the secret question too hard to remember later like my bank is doing askingme a random question out of a few questions that they made me answer when I was registering for the service. Almost each time, I give the wrong answer and after 2 more attempts they freeze my account prompting me to call their tech department. I hate it.

    I suggest, besides the email/username, ask mother's maiden name or sporting hero. Then have the system reset the password. For added security, force them to change the password afterwards although most users would change it anyway as the automatically-generated passwords are hard to remember.
    ------------------

  6. #6
    SitePoint Zealot
    Join Date
    Jan 2007
    Location
    Australia
    Posts
    137
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Time-sensitive verification is also handy, e.g. only 3 forgotten password requests per day.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •