Forgot password security design

 To err is human. To forget is even more human

 Let’s delve into some of the design considerations. Your comments are greatly appreciated.

1.       Pre-Canned Questions or User Defined Questions ?

My colleague Rocky blogged about it. A must read!

2.       Never send password by email.

Internet is ugly..lots of sniffers running, email servers getting hacked etc.

3.       Never display current password on screen. Even though if you set no caching, some proxy server might not honor it.

 Generate a temporary password when user successfully answers question(s). Needless to say, generated password should be a strong one.

4.       When temporary password is used, force user to change it when she logins in first with temporary password

5.       Use POST

Consider this: if the URL of forgot password page which shows password when user successfully answers questions looks like-

www. Domain.com/forgotpassword.aspx?challenge=X&response=Y

Now imagine if there is some ad displayed on same page and user clicks on it what goes in referrer header of http? It’s the URL of originating page and in our case its having challenge and response in URL? You don’t want other domains to know your user’s passwords, right?

6.       Verify it’s a human who is requesting password on his/her alternate email address. Use Human Interaction Proofs (HIPs) like CAPTCHA for same.

7.       Though I won’t recommend sending links to alternate email address to reset password, if absolutely necessary, force the link to expire in few minutes, say 15 minutes.                

a.       The reset password link should be nonce- one time use only.

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS