Expire reset password email key
https://stackoverflow.com/questions/9339696
-
27-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianسؤال
What is the standard regarding expiration of emailed reset password keys?
My application generates a 30 character alphanumeric key which is appended to the URL: http://site.com/reset/keygoeshere
The key is deleted from the user's account once he has resetted his password.
This question talks about expiring keys, but another user mentioned that if an email account is compromised, then they can obviously easily request a new reset key.
I guess the main potential vulnerbility of this approach is that someone might try and bruteforce the reset key and while he wouldn't know which account the key belonged to, he can still change someone's password.
For example, I just clicked a reset link from facebook that was sent 3 days ago and it still worked.
Is expiration of password reset keys necessary in terms of standard practice? If so, for how long should we let the key stay "fresh"?
المحلول
You can't be expected to deal with a users email account being compromised. However, to prevent brute force, a short expiry time, like 15 minutes, is desirable. If a user is requesting a password reset they typically want to get access now and if for some reason they are requesting a password reset link to use later, well, screw them, they have to request another one. The very first comment on the Q you linked pretty much sums it up and if a user doesn't like the fact that you are keeping them secure, that's their problem.
Also, you can make the reset more secure by having a challenge question. Something like "What was your first car". These types of measures are standard and while the info is typically not difficult to find out about a user, the random brute-forcer probably isn't going to bother, especially if he only has up to 15 minutes to try and brute force that particular reset link.
نصائح أخرى
A few notes:
- When the reset URL is reached, store the key in a cookie and immediately redirect so that it's not anywhere in a referrer. The cookie should expire upon the browser closing, and should be explicitly deleted when the password has been reset.
- I do a 3 hour reset for my service, and I think even that is too much time. 30 minutes even would be ok.
- A reset password link is not altogether insecure. If your service is holding any sort of credit card data, money exchange, or personal information, you should consider also including some challenge questions.
As my understanding, both are necessary, otherwise will cause lots of serious security problems. normally for me, I only keep 4 hours.
