I would like to ask some questions about password security. In my software the admin can create a new user setting the password and the username. I believe sending the password in plain text in an email is not a very good idea, so I’m thinking about sending a link that redirect the user to a page where they can set up their password. This link should expire after few hours as well. On my login form I’ve also have the option “forgot password” how can I prevent that a user doesn’t use it until they create the new password? How would you do it?
These two things should be the same operation.
1: User is created by admin. Password is not created; password is a completely random 64 character long scramble. At this point, noone knows the password.
2: A sufficiently long random character scramble is generated as ‘forgot_password_link’ in the database.
3: User is provided an email with a url to ‘setpassword.php?fplink=thescramblefromsteptwo’
4. User clicks on link, and goes to the page.
5. Page looks up who ‘thescramblefromsteptwo’ refers to, and allows the user to set their password. It updates the password, and clears ‘forgot_password_link’ from the database.
Note that even if the user doesnt go to the link the system automatically generates at user creation, the steps for ‘forgot password’ are steps 2-5 of this procedure. So there’s no harm in the user doing so. The only difference is perhaps the wording of the email used. So your ‘create user’ procedure is: Add user to database. Trigger a ‘forgot password’ on user.
Hi @m_hutley many thanks for your suggestion. I forgot to mention that I alsoneed to give to option to print a paper letter with the password as well, so maube I should alsouse a temporary password?
Couldn’t you print a QR code as a link to a reset password page?
Hi @rpkamp yes it is a great idea, but the reason for the letter is because the software should be easy to use also for people that are not very good with computers. I give you an example, my dad can easly check his email and login with username and password but he wouldn’t know what a QR code is and how to use it
The simplest solution here that keeps the security, is if you create another page that has a short link.
In the letter you have some text explaining what the user should do, then three sections, one for the link, one that contains their email, and finally a hash (make certain you use a hash that is easily read, and letters that can be confused is not used).
The user will manually type in the link (hence the short link requirement). Afterward, they will enter their email in the form on the page and also the validation hash.
The tricky part with letter validation like this is how long the validation hash should stay valid. This depends on the postage solution used, and should always be longer than the “longest shipping option” just incase something happens and it takes longer to deliver.
Why would that have anything to do with the password (re)set operation? At the END of the operation, in step 5, your script has whatever the user typed in stored, and can offer to print it if you want to do that. I highly recommend against it, but that’s your own boat to sail.
Printing out a temporary password does noone any good, except wasting paper.
Hi @m_hutley the problem is that the administrator can import some users from a csv file and for each one of them he can decide to create paper letters if for example the user doesn’t have an email address.
And what does he do when one of those users forgets their password?
If the user is not able to use the option forgot password because they don’t have an email then the admin will create a new letter with a new temporary password which will be communicated with another paper letter and then the user will be forced to change it again when log in
Well, you come here asking for advice about security, and then tell us the admins will have the ability to know and change user passwords at a whim, and users will rely on the admin who decided to change their password handing them a piece of paper.
I think your strategy is more flawed than your execution.
Hi @m_hutley thanks for your reply. Following your suggestion I now have decided not to print paper letters for users. Thanks for your help