Saturday, June 20, 2009

Forgot Password

The Forgot Password feature is something you will definitely need. Your users will have umpteen dozen username/password combos to remember (from other applications) and most users will forget their password at least once, if not many times.

However this feature needs to be implemented very well or you run the very real risk of opening up a security hole that begs hackers to walk on in.

Step 1.) Send the user a password reset email

Since the user has forgotten their password, you will need to set up a new one (securely).
  • Why? - Because you hashed the password - right? So you can't just tell them their password
You will want to ask for the email address of the user. This does 2 things for you.
  1. It lets you verify that there actually is a user in your system with this email address.
  2. It ensures that the password reset email you send is opened up by the "true" owner of the account. e.g. it isn't just the next user in line at the Internet Cafe that is trying to mess with a user's account.

The email should clearly indicate:
  • What site the request came from (e.g. Example.com)
  • What action is being requested (e.g. password reset vs. address change)
  • What the user should do if they believe they received this email in error (e.g. a bogus request)
  • What will happen if the email is ignored (e.g. Nothing will change)

If the email is ignored, nothing happens to the account. This step is also important to make sure that a hacker isn't just sending in reset requests to "disable" existing accounts.

Within the email you will need to include a "key" typically a short hash, that the user needs to enter to "confirm" the password reset request... and/or a link in the email (that includes the key) so the user can return to the site confirming the reset request. Make sure you provide both - there are some users out there with old email clients that won't auto create the hyperlink and there are also users out there that for security reasons want to type in the site address them selves (e.g. for banking sites - to avoid phishing emails)

Step 2.) User confirmation of password reset action

By arriving at your site on the password reset page (with the key in the url) or at a page where they can manually enter it the user can thereby confirm they requested this action.


Step 3.) Enter new password (and verify)

Once confirmed, the user must supply a new password (optionally meeting your password strength requirements) and enter it twice to ensure they haven't done a silly typo.

Depending on the security level of your site, you might have another step. (e.g. what if the email account itself was compromised? For financial applications typically you want the user to also enter in some key piece of information to ensure they really are the person they claim to be. If this is the case, this step should come before setting the new password.

e.g. Security Question/Response:

Q.) "What was your first pet's name?"
A.) "Sticky Paws"

Step 4.) Inform the user

Once the new password is set, inform the user that it has been set and remind them they'll need to remember this... but not write it down for security reasons.

Step 5.) What next?

Again, depending on the security level of your site... once the password has been reset you can either "automatically" log the user in, or explicitly log them out. Forcing the user to be logged out is actually considered a good thing in some cases since a.) The user could be "done" all they planned to do at that point or b.) Making the user log in with the new credentials ensures that they at least remember the password for 2 minutes ;-) and re-type it in will help enforce the new password to memory.


No comments:

Post a Comment