Best ways to implement password reset feature in your web application

Hope you don’t need the explanation about this as you know it. some systems are using weak password reset methods which are not user friendly and not secure for the system/app as well as users. I’m going to explain a brief summary of the password reset methods with advantages and disadvantages.

Option 1: Send an Email with original password

The developer has the original password available either in plain text or a two-way encoding in the database that can easily be turned into plain text. The security implications of sending a password via unencrypted email: what happens when an attacker gets a hold of that database, or manages to get it to start coughing up that data? This is very weak method and not secure. Even send the new auto generated/random password, this email method cannot be accepted as secure method.

First problem: There are no guarantees that it is the user of the account who makes the password reset request. The reset password form simply asks for a username or an email address or phone number. You can easily enter the email address of someone else. Therefore, it is possible to prevent someone from logging in by resetting his/her password regularly.

Second problem: The password is clearly visible in the email inbox. Some people do not protect their computers or cell phones with any password. In this case, you can simply get the new password and log in as using it. This can be easily countered by forcing the user to change his/her password upon the first login with the new password. Thus, the password present in the email won’t be valid after the reset. Also, the generated password has no expiration date. When you reset your password, you are expected to do it right now. So, the generated password should not be valid more than 10 minutes. This means someone must be able to read your emails in the next 10 minutes to be able to access your account.

 

Option 2: Email a limited time password reset linkĀ  / Create a password reset token

Another path that uses email as the identity validation system is to send out a link that contains a long string of random characters that leads to a one-use, limited time password reset screen. This is more secure than Option1 because the link can only be used once and with a limited window that it can be exploited if the link got into the wrong hands. It still has the weakness of using the user’s email system as the determinant of identity, though.

Example: http://exmaple.com/password-reset?token=OZkzukALuOIxFY4VLm6StQ~~/AAMOnQA~/RgRfvJrQP0RWaHR0cHM6Ly93d3cuYmFpc2NvcGVsay5jb20vd3AtbG9naW4ucGhwP2FjdGlvbj1ycCZrZXk9Q3N5VUlZcjlpS1VHdWJvZ29jRjAmbG9naW49c21pdGhXA3NwY0IKAC3QFdpdgmxdY1IYc3VtaXRoLmhhcnNoYW5AZ21haWwuY29tWAQAAAAA

This token does not replace the current password, does not match the new password and is long enough to not be brute force.

 

Option 3: Secret questions

Asking answers for the security questions for the verification. These answers are selected by the user when creating the profile. Unfortunately sometimes, just going on the Facebook profile can give you the answers. Anyone can guess the answer. This solution is not very practical, and its result is really not guaranteed.

 

Option 4: Reset password via phone call / SMS

Some websites are now sending a confirmation code through SMS messages to perform password resets process. Gmail only sends the password token emails to only the single recovery email on file, and provides only a code (no link). The big downside is for users without access to SMS messaging; depending on your target audience (such as military personnel in highly secured locations, people in remote areas, etc.). Also another way is sending verification code as sms and should enter and verify it before go to the password reset page. This is also success process.

The Final thought is Option 4 which is Reset password via Phone call or SMS is the better way. But it depends on your requirements. Facebook uses various methods to verify. First reset via sms code, send as email this code, if not success answer to security questions, if not worked then select friends names from your photos added in Facebook, or check the comment added by you…etc.