How to Implement Password Resets?
I'm working on an application in ASP.NET, and was wondering specifically how I could implement a
Password Reset function if I wanted to roll my own.
Specifically, I have the following questions:
- What is a good way of generating a Unique ID that is hard to crack?
- Should there be a timer attached to it? If so, how long should it be?
- Should I record the IP address? Does it even matter?
- What information should I ask for under the "Password Reset" screen ? Just Email address? Or maybe email address plus some piece of information that they 'know'? (Favorite team, puppy's name, etc)
Are there any other considerations I need to be aware of?
NB: Other questions have glossed over technical implementation entirely. Indeed the accepted answer glosses over the gory details. I hope that this question and subsequent answers will go into the gory details, and I hope by phrasing this question much more narrowly that the answers are less 'fluff' and more 'gore'.
Edit: Answers that also go into how such a table would be modeled and handled in SQL Server or any ASP.NET MVC links to an answer would be appreciated.
Lots of good answers here, I wont bother repeating it all...
Except for one issue, which is repeated by almost every answer here, even though its wrong:
Guids are (realistically) unique and statistically impossible to guess.
This is not true, GUIDs are very weak identifiers, and should NOT be used to allow access to a user's account. If you examine the structure, you get a total of 128 bits at most... which is not considered a lot nowadays. Out of which the first half is typical invariant (for the generating system), and half of whats left is time-dependant (or something else similar). All in all, its a very weak and easily bruteforced mechanism.
So don't use that!
Instead, simply use a cryptographically strong random number generator (
System.Security.Cryptography.RNGCryptoServiceProvider), and get at least 256 bits of raw entropy.
All the rest, as the numerous other answers provided.
Creating Secure Password Resets With JSON Web Tokens , To accomplish a secure password reset, I will demonstrate how to use password-reset link, we will not implement a database or an email. To verify the user’s new password, you verify the username, email address, and the id code all match, that the request has not expired, and that the two new passwords match. If successful, you change the user’s password to the new password and clear the password reset fields from the user table.
How to implement “forgot password” functionality?, You may also wish to consider other out of band options for the reset mechanism and the change notifications. For example, by SMS or mobile phone alerts. ❌ Create a new password and send it to the user by email. This solution consists in replacing the current password with a new random password. 1st problem: There is no guarantee that it is the user of the account who makes the request. The reset password form simply asks for a username or an email address.
First, we need to know what you already know about the user. Obviously, you have a username and an old password. What else do you know? Do you have an email address? Do you have data regarding the user's favorite flower?
Assuming you have a username, password and working email address, you need to add two fields to your user table (assuming it is a database table): a date called new_passwd_expire and a string new_passwd_id.
Assuming you have the user's email address, when someone requests a password reset, you update the user table as follows:
new_passwd_expire = now() + some number of days new_passwd_id = some random string of characters (see below)
Next, you send an email to the user at that address:
Someone has requested a new password for user account <username> at <your website name>. If you did request this password reset, follow this link:
If that link does not work you can go to http://example.com/yourscript.lang and enter the following into the form: <new_password_id>
If you did not request a password reset, you may ignore this email.
Thanks, yada yada
Now, coding yourscript.lang: This script needs a form. If the var update passed on the URL, the form just asks for the user's username and email address. If update is not passed, it asks for username, email address, and the id code sent in the email. You also ask for a new password (twice of course).
To verify the user's new password, you verify the username, email address, and the id code all match, that the request has not expired, and that the two new passwords match. If successful, you change the user's password to the new password and clear the password reset fields from the user table. Also be sure to log the user out/clear any login related cookies and redirect the user to the login page.
Essentially, the new_passwd_id field is a password that only works on the password reset page.
One potential improvement: you could remove <username> from the email. "Someone has request a password reset for an account at this email address...." Thus making the username something only the user knows if the email is intercepted. I didn't start off that way because if someone is attacking the account, they already know the username. This added obscurity stops man-in-the-middle attacks of opportunity in case someone malicious happens to intercept the email.
As for your questions:
generating the random string: It doesn't need to be extremely random. Any GUID generator or even md5(concat(salt,current_timestamp())) is sufficient, where salt is something on the user record like timestamp account was created. It has to be something the user can't see.
timer: Yes, you need this just to keep your database sane. No more than a week is really necessary but at least 2 days since you never know how long an email delay might last.
IP Address: Since the email could be delayed by days, IP address is only useful for logging, not for validation. If you want to log it, do so, otherwise you don't need it.
Reset Screen: See above.
Hope that covers it. Good luck.
Best way for a 'forgot password' implementation?, The user uses the temporary password to login and resets his password. Similar, but the email would contain a link to let the user reset his Notify users on password resets- Yes to intimate users when the reset the passwords. Notify all admins when other admins reset their password – Yes to intimate users when other administrators reset password. Customization. Login to https://Portal.azure.com –>Azure Active Directory –>Users –>Password reset –>Customization
A GUID sent to the email address of record is likely enough for most run-of-the-mill applications - with timeout even better.
After all, if the users emailbox has been compromised(i.e. a hacker has the logon/password for the email address), there is not much you can do about that.
How to implement Password reset feature in a web application , Users are humans, so they have memory problems like everyone. Thus, they happen to forget their password from time to time. The purpose of The user enters a new password; The password reset process has been completed and the user receives confirmation; Password Reset Logging. To check password resets have been successful, you can view the audit logs on the Azure Portal. To do so, simply open the portal again; Click on Azure Active Directory; Click on Password Reset; Click on Audit Logs
You could send an email to user with a link. This link would contain some hard to guess string (like GUID). On server side you would also store the same string as you sent to user. Now when user presses on link you can find in your db entry with a same secret string and reset its password.
Password reset email design best practices, If you're looking for a detailed guide for your technical implementation of your password reset functionality, you should start with Troy Hunt's The user navigates to the 'forgot my password' page and enters their username or email (whichever is unique) to request a password reset. Optionally at this stage you can confirm the request by asking for additional information such as the answer to a predefined security question or their date of birth etc.
Best Practices for successful self service password reset [91 , The implementation of self service password reset solutions might look like a simple task, but many organizations have been unsuccessful in implementing them If you don't want users to have to change passwords, select the checkbox next to Set user passwords to expire after a number of days. Type how often passwords should expire. Choose a number of days from 14 to 730. In the second box type when users are notified that their password will expire, and then select Save.
Password Reset Is Critical For Customer Experience, Learn about how to keep your accounts secure while minimizing customer friction implementing Password Reset. Implement a CAPTCHA — the “Are you a human?” test — on both the forgotten-password and password-reset pages. Some websites even implement the CAPTCHA test on the log-in screen. Implement forgotten-password security questions, where the user must answer a security question (that they’ve previously created) before an email is ever sent to reset their password.
Guidelines for Password Management, Be sure to change your password from a computer you do not typically use (e.g. university Implement automated notification of a password change or reset. Redirecting to the login page also gives some password managers the chance to save the login URL and the new password, although many already detect the new password from the reset page. You may also wish to consider other out of band options for the reset mechanism and the change notifications.