Resetting ASP.NET password - security issues?

Question

I've seen various questions regarding this issue, but there are a couple of questions that haven't been asked. If the user forgets their password, I would like them to be able to reset it with only their email address (i.e. there's no security question/answer). The password is stored as a salted hash, so there's no recovery possible. Instead, I'd just like the user to enter a new password after confirming that they have requested a reset.

A common method that's been mentioned is to simply:

1) Create a random Guid/Cryptographically strong random number

2) Send a unique URL containing the random number to the user's email address

3) When confirmed, the user is asked to change password

However, isn't this open to a MITM attack? If sending a temporary passwords over the internet to an email is insecure, what's the difference between doing that and simply sending a unique URL which the attacker can navigate to? Have I missed a key step somewhere that will make this system more secure (Or is there a better way of resetting the password)?

Thanks

Answer 1

샌드 박스 솔루션을 사용하는 데 약간의 혼란이있었습니다. 본질적으로 사용자 정의 관리 코드 만 사용되지 않습니다 (샌드 박스 솔루션)은 더 이상 사용되지 않습니다. SharePoint Dev 블로그 :

아니오 코드 샌드 박스 솔루션 (NCS)을 호출하는 선언적 마크 업 및 JavaScript 만 포함하는 샌드 박스 솔루션을 개발하는 동안, 우리는 여전히 실행 가능하며, 우리는 샌드 박스 솔루션 내에서 사용자 정의 관리 코드를 사용하지 않아도됩니다 ... 온라인 서비스의 동적 특성으로 고객 수요에 따라 SharePoint Online의 코딩 된 샌드 박스 솔루션에 대한 지원 요구 사항을 결정합니다. NCSSS는 계속 지원됩니다.

모범 사례 측면에서 CSOM이 선언적 샌드 박스 솔루션을 통해 전투에서 이기고 있다고 생각하는 것으로 나타 났지만 다소 토결 가능합니다.

이 위대한 블로그 게시물 에 대해

Answer 2

Your means of authenticating the user is a shared secret (the password).

If the user forgets that secret, you need a way of establishing a new shared secret. No matter what way you go about it, you'll still have the problem of authenticating the user in order to share that new secret.

If the only thing you know about the user that could be used to authenticate them is their email address, then you'll need some way to confirm that the user requesting a reset is in control of that email address.

And the only way so far to do that is to email a secret to that email address and check if they received it.

Which is always going to be open to a sufficiently sneaky MitM attack.

The reason you don't send a temporary password is to avoid the issue of "the user can't be bothered changing and so keeps using the insecure temporary password instead of their own secure one."

Answer 3

To mitigate the risk of a man in the middle attack I use the following measures:

• A reset request can be used one time only.
• If a reset request is not used, it expires after one hour.
• All reset requests are permanently logged whether it was ultimately completed or expired.